Assessing Business Risk
June 2, 2009
Business risk for the purposes of A Simple Security Risk Assessment is the input provided by Business Unit which incorporates the value and criticality of the Information Assets to business operations. A Business risk value is usually assigned to each application and not to each server or configuration item (unlike Technical risk which is assigned to each configuration item).
Financial impact is currently not considered simple and has been omitted from A Simple Security Risk Assessment, however it may be considered necessary for your organisation, in which case you could use Annual Loss Expectancy (ALE) as a benchmark. ALE does not normally provide a precise calculation of the expected loss, just an indication over time that expected loss is going up or down.
To calculate ALE an Asset Value would need to be assigned to each application. The Asset Value would then be multiplied by an Exposure Factor (based on Technical Risk Impact) to arrive at a Single Loss Expectancy which is again multiplied by Annual Rate of Occurrence (based on Technical Risk Likelihood).
Without Information Asset valuations from Business Units, and to minimise complexity in this, A Simple Security Risk Assessment, the following items may be taken into consideration when calculating Business risk.
Criticality
- Low (1) – Desirable infrastructure and applications
- Medium (2) – Necessary infrastructure and applications
- High (3) – Critical infrastructure and applications
Environment
- Low (1) – Development environment
- Medium (2) – Pre-Production environment
- High (3) – Production environment
Information Classification
- Low (1) – Unclassified and/or unmarked
- Medium (2) – Proprietary or In Confidence
- High (3) – Confidential or Secret
Compensating controls
- Low (1) – Full (preventative control)
- Medium (2) – Partial (detective control)
- High (3) – None
Business risk chart
Example
In this example it has been assumed the server being reported is a Production system and is Critical to business operations. The table demonstrates the input required from the Business Unit in order to combine Business risk with the Technical risk to create an Overall risk value that can be grouped by host and/or by application.
- Server name: SERVER01
- Application name: CRM
- Environment: Production
- Criticality: Critical customer-facing application
- Business Risk: 9
A Simple Security Risk Assessment
This article is part of a five part series on A Simple Security Risk Assessment:
1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk
June 2, 2009 at 12:44 am
[...] 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk Posted by awrobinson Filed in Management System Tags: Information [...]
June 2, 2009 at 12:48 am
[...] 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk Possibly related posts: (automatically generated)A Brief Introduction [...]
June 2, 2009 at 12:56 am
[...] 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk [1] AS/NZS [...]
June 2, 2009 at 12:57 am
[...] 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk [1] ISO [...]