|
|
|
 |
|||||||||||||||||||||||||||||||||||
Third Set a Target for Your Risk In the previous two articles we have seen how to measure risk and understand how to reduce that risk. In this article we consider what the target value for that risk measurement must be. Once again we will use the Expert risk assessment technology to illustrate our ideas.A standard threat profile Threats can be categorised as being human or natural in original. The former decompose into internal and external threats. (One way of thinking about this is whether the threat agent is on the payroll or not.) In turn each of these decompose into opportunistic and premeditated attacks, and whether the attack is benign or malevolent in intent. Natural threats partition into "Acts of God" (such as tornadoes and earthquakes) and environmental failures (such as power supply failure). These can be characterised in terms of how the threat agent might access the protected assets, their motivation, capability and likelihood. As we might imagine, there are typical values for each of these different types of generic threat, determined by consultation with experts and observation of real life events. We will call this the "Standard Threat Profile" (STP). For any particular situation, we might argue that the STP requires modification to reflect actual events. For example, in a downsizing operation, the internal threat due to disgruntled employees may increase. Likewise, the likelihood of natural disaster will vary according to geographical location. Moreover, we might want to define several variants of a given generic threat. For example we may want to distinguish between fire and flood. The STP is a reference point for risk determination. We can determine its value by setting the parameters for all threats to their default STP values and calculating the risk for the assets and components within scope of our ISMS. If we recalculate this using the correct values for the threats, then the overall risk will either be greater or less than the reference value, indicating that a greater than "normal" or lesser threat exists. The diagram illustrates a case where is the actual threats are less than the norm. A standard asset profile We can proceed similarly for assets. The diagram shows possible standard values for a variety of asset classifications. The dtiSECx refer the the UK Department of Trade and Industry's "unified classification markings", plus one (dtiSEC0) we invented with the DTI in April. The remaining markings reflect the usual military markings. dtiSEC1 represents information which if improperly disclosed, particularly outside an organisation, lost or found fraudulent would be inappropriate and inconvenient. dtiSEC2 represents information which any of these things happen to it would cause significant harm to the interests of the organisation. It includes personnel information and therefore would be the asset value relevant to European Data Protection Legislation. dtiSEC3 represents information which likewise could prove fatal to an organisation. The higher markings reflect damage to a nation, which is why they are ranked higher. dtiSEC0 represents information which we don't mind being wrong, given away or lost. In this sense, dtiSEC0 represents the "secure state". The relationship between all these asset values is logarithmic. If we determine a reference risk based on actual vulnerabilities, the STP with "James Bond" substituted for all assets, then we should be seeking a risk target of 14.5% of that reference given the actual threat profile and asset values. It all works something like this...
|
||||||||||||||||||||||||||||||||||||
|
17 January, 2003 |
|
