What’s the Risk?

Posted on March 7, 2014 by Carmelo

When asked, what’s the risk? I find great pleasure in flexing my ability to break down potential loss in either qualitative or quantitative methods.

The FAIR Quantitative Risk Model was taught to me by Jack Jones, the creator. I also feel pretty masterful of the ISRA methodology.

When trying to use a qualitative methodology, a nice impromptu method one can use, is just write down the basel II categories, and think about some high/medium/low rankings.

Let’s just say that a single person would like to file an exception to use dropbox. Let’s put down the basel II categories and comment under each.

  1. Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
    • Can the use use this to commit fraud? Yes, Medium loss.
  2. External Fraud- theft of information, hacking damage, third-party theft and forgery
    • Can dropbox be subject to social engineering by external hackers? Yes, Medium loss.
  3. Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety
    • Is it discrimination of employment practices? Depends on how sensitive other workers are and the relationship between the person asking for the exception and the person granting the exception. Low to Medium loss.
  4. Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
    • Business practice can be definitely questioned if using an external service as opposed to a service that internal IT can provide, especially if it already provides it and has paid for it.
  5. Damage to Physical Assets – natural disasters, terrorism, vandalism
    • Does not apply
  6. Business Disruption & Systems Failures – utility disruptions, software failures, hardware failures
    • External vendors that we don’t have a contract with, may not have an acceptable SLA, this can disrupt business
  7. Execution, Delivery, & Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets
    • Does not apply

Overall, the average of answers to the qualitative assessment above equal a moderate/medium loss.

Usually, if there is a high or critical loss, those really pushing for that particular solution, will want a quantitative risk analysis.

This entry was posted in Security Blog and tagged , , , , , , , , . Bookmark the permalink.