Risk = asset value × threat × vulnerability
Elements of Risk
- Assets (Normally represented as a monetary value, assets can be defined as anything of worth to an organization that can be damaged, compromised, or destroyed by an accidental or deliberate action. In reality, an asset’s worth is rarely the simple cost of replacement; therefore, to get an accurate measure of risk, an asset should be valued taking into account the bottom-line cost of its compromise. For example, a breach of personal information may not cause a monetary loss at first glance, but if it actually were realized, it likely would result in legal action, damage to the company’s reputation, and regulatory penalties. These consequences potentially would cause a significant financial loss. In this case, the asset-value portion of the equation would represent the personal information. The calculated value of the personal information would include an estimate of the cumulative dollar cost of the legal action, reputation damage, and regulatory penalties).
- Threats (A threat can be defined as a potential event that, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. Threats are generalized as a percentage, but two factors play into the severity of a threat: degree of loss and likelihood of occurrence. The exposure factor is used to represent the degree of loss. It is simply an estimate of the percentage of asset loss if a threat is realized).
- Vulnerabilities (Vulnerabilities can be defined as the absence or weakness of cumulative controls protecting a particular asset. Vulnerabilities are estimated as percentages based on the level of control weakness. We can calculate control deficiency (CD) by subtracting the effectiveness of the control by 1 or 100 percent).
IT Risk Management Life Cycle
As with most methodologies, risk management, when applied properly, takes on the characteristics of a life cycle. It can be broken out into several phases beginning with identification of information assets and culminating with management of residual risk.