Risk Management

To believe the news media, there are a host of cruel and omnipotent hackers out there who can totally

destroy any system they set their minds to, spreading total devastation upon whoever and wherever they wish. The

slightest freak of nature - heavy rain, a fire, a date on a calendar - can wipe any system out entirely. This is not the

case: the devastation is not total, the destruction is not complete there are countermeasures which can be brought to

bear to avoid this disastrous outcome.

Introduction

There are a number of very real risks to information systems, but they are not absolute. There is a chance of

any system being subject to attack, but it isn’t certain. You are not subject to the whims of the attacker or of nature,

there are many things which can be done to mitigate the losses.

Risk management is the total process of identifying, measuring, and minimizing uncertain events affecting

resources. This paper was written to help in the objective analysis of the risk management process.

Evaluating What Is At Risk

Every asset has an associated cost. The cost of physical assets should be the at least the replacement cost, which

should also include inflation rates. Categories that should be considered are:

Facilities: All buildings, air conditioning, furnishings and other support equipment. Excludes any asset

more properly classifiable in another asset category. Think of things like "fire" or "flood". Other

possibilities include earthquake, bombs and chemical contamination which causes the EPA to close the

facility. The cost associated with computing resources can be the cost to run the resource for a given time

period, or by estimating the time required to rebuild/compile, test and re-install.

Equipment: All information system equipment located in the contiguous area. Does NOT include

equipment that would NOT be lost, say, in a fire that completely destroys the computer facility such as

relay equipment under a manhole cover or mounted on a telephone pole outside of the facility. Everything

that you had to buy and install in the center- you should be able to get the purchase price real easy. And

check the maintenance agreement - there may be some proviso in there amongst the warranty information.

Software: All programs and documentation that would be lost if the computer facility was completely

destroyed. This can be broken down into:

Commercial - You bought it, you can consult your receipt. Check the warranty

information, because it may be replaced for free in the event of disaster.

Proprietary - You developed it yourself. How much would it cost to re-create it?

Records and Files: All magnetic media data files that would be lost if the facility were completely

destroyed. Simply count and multiply. The information content of those items is covered next.

Data and Information: An arbitrary value methodically applied to represent the value of all data and

information maintained in the computer facility; including any losses that might occur were the data

compromised but not necessarily destroyed.

For estimating the costs of the data itself, talk to the information owners: find out how much time

and resources would be required to replace it (if they need to replace it all). Cost time and resources - the

procurement department should be able to cost staff time when needed. One measure is the labor needed to

recreate it. To this should be added the "opportunity cost" -- the money unearned because one is busy

recreating instead of proceeding with other business. Try to estimate impact on the business: ask questions

such as: "can you do your work without this data? If not, can the company operate without revenue until

you get the information back?" and so on. Estimate cost of this impact (taking into account intangibles such

as loss of business, loss of reputation, etc.). Internal/external auditors should be able to help do the cost

estimating.

Information results from the processing of data. Although there are ways to quantify and

characterize data, measuring the value of information is more difficult. Often a small amount of

information will have greater value than large amounts of other information. The need to design costeffective

information protection architectures adds new urgency to this classic problem. There is no one

metric that applies to all circumstances, but an approach using multiple metrics, each looking at one aspect

can still be useful. Although it would be nice to have a simple way of assigning an absolute value to

information, it may be more useful to assess value is relative to some context including the uses that are to

be made of it as well as the actions of competitors or enemies.