CHAPTER 62

RISK ASSESSMENT AND RISK MANAGEMENT

Robert V. Jacobson

62.1 INTRODUCTION TO RISK MANAGEMENT

62.1.1 What Is Risk?

62.1.2 What Is Risk Management?

62.1.3 Applicable Standards

62.1.4 Regulatory Compliance and Legal Issues

62.2 OBJECTIVE OF A RISK ASSESSMENT

62.3 LIMITATIONS OF QUESTIONNAIRES IN ASSESSING RISKS

62.4 MODEL OF RISK

62.4.1 Two Inconsequential Risk Classes

62.4.2 Two Significant Risk Classes

62.4.3 Spectrum of Real-World Risks

62.5 RISK MITIGATION

62.5.1 ALE Estimates Alone Are Insufficient

62.5.2 What a Wise Risk Manager Tries to Do

62.5.3 How to Mitigate Infrequent Risks

62.5.4 ROI-Based Selection Process

62.5.5 Risk Assessment/Risk Management Summary

62.6 RISK ASSESSMENT TECHNIQUES

62.6.1 Aggregating Threats and Loss Potentials

62.6.2 Basic Risk Assessment Algorithms

62.6.3 Loss Potential

62.6.4 Risk Event Parameters

62.6.5 Threat Effect Factors, ALE, and SOL Estimates

62.6.6 Sensitivity Testing

62.6.7 Selecting Risk Mitigation Measures

62.7 SUMMARY

62.8 FURTHER READING

62.9 NOTES

62.1 INTRODUCTION TO RISK MANAGEMENT

62.1.1 What Is Risk?

There is general agreement in the computer security community with the common dictionary definition: “the possibility of suffering harm or loss.” The definition shows that there are two parts to risk: the possibility that a risk event will occur, and the harm or loss that results from occurrences of risk events. Consequently, the assessment of risk requires consideration of both factors: the frequency of threat events that ...