= the impact of disclosure of confidential information; can be of var- ious types: Embarrassment (exposes the inappropriate behavior company man- agement), Competitive advantage (loss of CA due to exposure), Legal/regulatory (cost of law violations) or General (other losses related to data sensitivity) Volume
or quantity of the asset
2. Threat loss factors: Competence
as the amount of damage threat agent is able to inflict Actionof the Threat Agent on the Asset:
- Access (read the data without proper authorization)
- Misuse (use the asset without authorization and or differently form the intended usage)
- Disclose (the agent let other people to access the data)
- Modify (data or configuration modification)
- Deny access (preventing legitimate intended users from accessing the asset)
Internal vs. External
threat agent affiliation
3. Organizational Loss Factors: Timing
of the attack
undertaken by the organization
0000000 Current Established Risk Assessment Methodologies and Tools Page 57
Responseof the organization with regard to:
- Containment (the ability to limit breadth and depth of an event)
- Remediation (the ability to remove threat agent)
- Recovery (the ability to bring things back to normal) Detection:
of the threat in due time
4. External Loss Factors: Detection
of the event by external entities
Legal / Regulatory
fines or judgments imposed by regulation, contract law or case law
taking advantage of the situation Media
taking their business elsewhere
A complete overview of the decomposition of Risk as proposed by the FAIR taxonomy is visible in Figure
4.1 on page 59 . One notable difference between FAIR and most other conceptual models is that FAIR views "Vulner- ability" as a probability (that the force applied by the threat exceeds the strength of the available controls" instead of "a weakness that may be exploited". In FAIR, the weakness is defined as a "Potential Vulner- ability", with the actual Vulnerability being dependent on the particular Threat and it’s capabilities.
4.2.3 ISO/IEC 13335-1:2004 Concepts and models for information and commu- nications technology security management
The standard’s full title is ISO/IEC 13335-1:2004 Information technology – Security techniques – Man- agement of information and communications technology security – Part 1: Concepts and models for information and communications technology security management . According to it’s abstract "ISO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security. Part 2 of ISO/IEC 13335 provides operational guidance on ICT security. Together these parts can be used to help identify and manage all aspects of ICT security." [ 1 ]. In this section, however, we will focus on Part 1 as it is dedicated to discussing useful concepts and models for managing and planning IT Security. Furthermore, Part 2 as a standalone document has since been made obsolete.
You've reached the end of your free preview.
Want to read all 123 pages?