Introduction 13

The extent (for denial/delay forms of loss), or percentage of the value of affected assets (for all other forms of loss), that would be experienced as a result of the realization of a particular threat.

1.3 Risk Analysis Methodology

The automated risk analysis program is based on a standardized methodology which has been developed through the collective experiences and expertise of security consultants and analysts that have actually performed a multitude of risk analyses.

In accordance with this methodology, members of the analysis team familiarized themselves with the physical facilities, overall organizational structure, and the integration of the data processing system into the structure of the organization. Following a study of the working relationships within the organization, a project plan was prepared. A list was made of all the organizational elements which either support or draw support from the system under analysis. Work assignments were then made for the team members to assess the threats to the data processing system.

The team then collected all readily identifiable data necessary for a quantitative risk assessment. Included were computerized lists of assets, floor plans, etc., and documentation on policies and procedures.

After the collected data was analyzed, the function of each component of the organization was identified and the mission of the organization was defined. As a result of this analysis, the critical components of the organization were discovered and analyzed in depth.

From the data collected, an organizational resource structure was identified for all assets (both tangible and intangible) used either directly or indirectly, in support of the organizational mission tasks and functions. The assets were classified according to their criticality, sensitivity, or use within the organization.

A number of questionnaire diskettes were prepared and distributed to SpecOrg and NAME employees, and to NAME and non-NAME users of SpecOrg data center to identify any vulnerabilities that may be present at the data center.

Based on an examination of the organization's related functions and assigned resources, a list of applicable threats was developed. Each threat listed could, if realized, cause a significant loss of organizational assets, and consequently, a significant loss of the ability to carry out some facet of the mission.

To analyze the vulnerabilities, an analysis was made of each asset, and the threats which could act against it. For each asset/threat/vulnerability combination, a determination was made and a numerical value was assigned which represented the actual percentage of the value of the asset which is exposed and subject to loss if the threat were to occur. Given the value of the asset and the percentage of that value exposed to each threat, a computation was made of the loss which could be expected for each occurrence of the threat - regardless of the likelihood that the threat would occur.

For each of the threats identified as applicable, the adequacy of the protection afforded by existing controls and safeguards was assessed based on responses to the RiskWatch questionnaires.

Given the nature of the threats previously identified, a determination was made (by conducting extensive research of many data bases, both automated and manual), of the threat's frequency of occurrence within any given year. The determination of these factors involved both data collected from within the organization through the questionnaire evolution, and various data bases obtained from over 100 sources by a variety of access modes, from direct on-line to mag-tape copies, microfiche or hard copy media. The data were then analyzed by statistical routines to obtain the mean, standard deviation, confidence interval, and dependent variables acting as maximizing factors. Multiplication of the value of each asset, times its vulnerability exposure to each threat which might affect it, resulted in the estimated loss per occurrence for the asset. This estimate was multiplied by the Annual Frequency Estimate of the threats to annualize the loss expectancies (ALE) for the asset, threat, and vulnerability combination

The estimated loss per occurrence and the Annual Loss Expectancies attributed to the various assets affected by a given threat were summed and an analysis was made of the impact such a threat occurrence would produce. The analysis involved evaluating details relating to the physical and logical interrelationships of all the components, both within and outside the organization, which would be affected. The result of this analysis was a realistic impression of the snowball effect that the threat could produce.

The figures produced represent the total direct and indirect losses which could be anticipated by all parties, both within and associated with the organization.

A series of safeguards was then identified to address each threat with a high percentage of occurrence.

In each case, recommended additional safeguards had to be cost-effective, unless they were specifically required by law, regulation, or contractual agreement. The cost of implementing and operating the safeguard had to be less than the reduction in the (ALE) associated with the threats against which a safeguard was effective unless specifically required by law. Costs and savings were amortized over the lesser of the estimated safeguard, system, or facility life cycles.

Money to be spent or saved in future years was discounted to reflect its value at the present time by using discount factors based on the inflation adjusted, cost-of-capital rate of 10%.

Multiple effects -- that is, the reduction of more than one ALE, from more than one threat, by a single additional safeguard -- were evaluated by analyzing the difference in ALE of all affected threats.

After applying these analytical techniques to the costs and savings associated with each proposed additional safeguard and the ALE's which it affected, a savings figure, normalized to the present time, was obtained, to assist management in deciding whether or not to implement the recommended additional safeguard.