By Ding Tan December 2002 © SANS Institute 2003, Author … - annualized rate of occurrence aro

---

Quantitative Risk Analysis Step-By-Step
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
By
Ding Tan
December 2002
GSEC Practical Version 1.4b - Option 1
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
- 1 -
? SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights.
? SANS Institute 2003, Author retains full rights
Table of Contents
1. Abstract ...................................................................................... 3
2. Introduction ................................................................................. 3
3. Importance of Quantitative Risk Analysis ........................................... 4
4. Quantitative Risk Analysis Procedure And Calculations ........................ 5
5. Assigning Values to Tangible Assets ................................................. 6
6. Assigning Values to Intangible Assets ............................................... 7
7. Estimating Potential Threat & Risk .................................................... 9
8. Estimating The Potential Exposure Factor .......................................... 11
9. Risk Analysis Data ........................................................................ 11
10.KMeeytfhinogderopfrDinat t=aAInFt1e9rpFrAet2a7ti2oFn9...4 9...98...D...FD...B...5 ...DE...3D...F...8B...5...06...E4...A...16...9...4E...46.... 15
11. Overseas Risks And Threats ............................................................ 16
12. Laptop Security ............................................................................ 16
13. Internet Threats / Issues ................................................................. 17
14. Conclusions ................................................................................. 18
References .................................................................................. 20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
- 2 -
? SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights.
? SANS Institute 2003, Author retains full rights
1. ABSTRACT
80% of the companies that participated in the FBI/CSI survey reported financial losses
due to security breaches. However, only 44% could quantify their actual losses
(Computer Security Institute). In addition, according to a survey conducted in Britain,
only 30% of UK businesses had ever evaluated return on investment for information
system security spending (PricewaterhouseCoopers). This paper is designed to give the
IT professional and security consultants an overall tool in the planning, formulating, and
making of a quantitative risk analysis including all of the key variables for management
review. Because of the scarcity of reliable data, diversity in subject matter, lack of well-
established methodology, and the unavoidable degree of subjectivity of data, the
resulting quantitative risk analysis is a difficult thing to accomplish.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
In this paper, the use of a centralized data table containing reference data and
estimating techniques for some of the key variables for determining risks and losses will
help to present a stronger case for security improvement to management. A discussion
of methods for the valuation of tangible and intangible assets will help to quantify the
largest information security risk in the U.S., which is theft of proprietary information
(Computer Security Institute). Additional focus is placed on important risk areas such
as internet security, overseas security concerns, and laptop security. This paper should
also help an IT security consultant to obtain new business through the creation of a
well-written quantitative risk analysis.
2. INTRODUCTION
According to the FBI/CSI 2002 study, even though 89% of the companies surveyed
have firewalls and 60% use intrusion detection systems (IDS), an alarming 40% of
those surveyed still detected intrusion from the outside (Computer Security Institute).
Does this mean their firewalls and IDS are not very effective against outside attacks? In
addition, 90% of those surveyed have anti-virus software. But still, 85% were attacked
by worms, virus, and other malicious codes. (Computer Security Institute). Does this
mean their anti-virus software is ineffective? The answers to these questions may lie in
the fact that the existing IT security systems, and security measures may not be enough
to withstand the growing attacks by criminals. A tremendous amount of technical
support and capital have to be infused to improve the overall security infrastructure.
The main problem becomes, how can we justify the spending to protect our information
systems?
The lack of a well-documented cost and benefit analysis of security improvement efforts
as part of the risk analysis campaign has contributed to the following issues:
K? eyFfionrgserepcruinrtity= cAoFn1s9uFltAan27ts2, Fit9i4s 9d9if8fiDcuFltDtBo5juDsEtif3yDnFe8wBb5u0s6inEe4sAs1f6ro9m4Ea46prospective
client when no risk analysis has been done to show the projected payback.
- 3 -
? SANS Institute 2003, As part of the Information Security Reading Room. Author retains full rights.
? SANS Institute 2003, Author retains full rights


• ALE - A Simple Tool to Prevent Catastrophic Business Loss
• 5.0 Governance, Risk, and Compliance - ECPI University
• Information Security Risk Assessment by Using Bayesian …
• By Ding Tan December 2002 © SANS Institute 2003, Author …
• Effective Risk Analysis - NIST