Pick a time period (a day, a month, a year) and then estimate how often each type of attack might occur. Be sure to use the same time period for each type of attack. Use fractions or decimals as needed; if we are counting events per year and something bad occurs every 5 years, we still need to consider the risk. TABLE 1.3 estimates the rate of occurrence of certain crimes.

We will use the rates given in Table 1.3 to estimate the frequency. These rates are based on national crime statistics in the United States and are scaled for a small store like Alice’s. Like all estimates based on past experience, they don’t predict the future. They simply give us a way to estimate the relative likelihood of the events.

According to Table 1.1, three threat agents might physically steal things from Alice’s store: shoplifters, malicious employees, and armed robbers. The laptop is probably less accessible to shoplifters than other merchandise, but we’ll assume that Alice took no significant steps to protect it. Employees probably won’t steal the laptop for several reasons. While robbery is a definite possibility, it is less likely than theft by a highly motivated shoplifter.

Typical retail businesses expect a 3% rate of loss due to theft, damage, and other causes. Using statistics about shoplifting and losses, we estimate Alice’s store will host 40 people who shoplift during a typical month. Most of these people shoplift as a bizarre hobby or compulsion. A handful of these are “professional” shoplifters who steal merchandise as a business. At least one professional will probably visit her shop every month. Let us assume that only a professional shoplifter steals business equipment like Alice’s laptop. If we extrapolate the professionals’ visits over an entire year, the statistics estimate a likelihood of 14.5 visits a year.

If a particular attack occurs, how much will it cost Alice to recover from it? As noted earlier, our estimate must include replacement cost, labor costs, the cost of lost opportunities, money spent on alternatives, and so on. We can estimate loss either in monetary terms or in terms of the time required to recover. In this case, we will estimate in terms of recovery time: the number of days it takes Alice to recover from a particular attack.

The laptop costs $1,000. Alice also spends an additional $50 in labor to acquire the replacement and reinstall her files. The monthly impact of its theft is a $1,050 expense to Alice.

We can also estimate the impact entirely in terms of labor hours. For example, it might take Alice 40 hours to earn the money to replace the laptop. She takes an additional 2 hours to acquire the replacement and reinstall her files. The impact is 42 hours.

Once we have filled in the attack likelihoods and impacts, we compute the significance by multiplying these values together. The biggest risks have the highest numerical significance. A high significance means that a disruption is likely and that it will affect Alice’s store for a long time. Other disruptions may be likely, but the effects won’t be as profound.

Here we take the list of risks stated earlier in this chapter and calculate their relative significance. We will review each risk and establish how we estimate its significance. Unless otherwise stated, we use the crime rates from Table 1.3 and calculate the impact on a monthly basis. The computed results appear in TABLE 1.4.

• ■   Subversion of computer hardware and software—A subversion attack generally arises from a worm or virus infestation. The subversion itself might not cause direct damage. The infested computer might run imperceptibly slower. The real damages may arise from stolen online credentials, which we consider in other attacks. We will estimate a labor cost of 6 hours to restore a subverted computer, at $25 an hour, and that it occurs once a year.

• ■   Denial of service by computer hardware and software—A power failure will generally bring Alice’s computers to a halt. Customers on the U.S. power grid experience a failure approximately once a year, and the average failure lasts about 2 hours. An unexpected power failure, or even a fluctuation, may also damage computer equipment. We might estimate an annual failure that takes the store’s POS device offline for 2 hours. If we estimate a net income of $25 per hour from individual sales, a 2-hour outage costs $50.

• ■   Identity theft of online business and credentials—According to the U.S. Bureau of Justice Statistics in 2013, 50 percent of identity theft attacks cost the victim $100 or less, and most attacks were on higher-income households. Alice’s Arts does not support a high-income household.

• ■   Disclosure of spreadsheets—The spreadsheets are confidential primarily because they contain salary information for employees. This may be open knowledge in a small store. However, we need to estimate it, so we will estimate that such a disclosure causes an employee to quit once every 4 years. Alice spends 3 hours of labor to replace the employee.

• ■   Identity theft of social media and credentials—It is hard to predict the impact of this attack. We will estimate that Alice spends 2 hours of labor recovering from it once every 4 years.

• ■   Denial of service for social media—Aside from personal entertainment value, Alice relies on social media to keep in touch with her local customer base. Her social media “advertising” tries to encourage customers to advertise for her. From time to time, she may be prevented for a few hours—or days—from keeping watch on the social media, because she is in a location without internet support. It is difficult to estimate how this might affect Alice’s sales. We will estimate that Alice spends 1 hour of labor recovering from it once every 4 years.

TABLE 1.4 Calculating the Impact

The analysis, as well as the calculation, highlights both the greater risks and the lesser risks. Physical damage is the most significant risk. Loss of access to social media is the lowest risk. We will omit social media DOS from Alice’s risk list.

When we calculate risk in terms of money we get simple and impressive numbers. However, those results are often misleading. Numbers by themselves carry a lot of authority, especially when they represent money. Do not be fooled. There are two reasons these numbers are misleading.

First, the numbers are nothing more than estimates. They are useful when comparing one to another, but don’t rely on them in an absolute sense. An actual loss over time could be significantly less—or more—than this estimate.

Second, this calculation assumes that the risks and the attack events are independent of one another. This is nonsense. Some types of attacks, if successful, may increase the likelihood of further attacks. For example, shoplifters will steal more from a store that doesn’t try to catch shoplifters. A burglary that breaks open the shop door after hours may give others the opportunity to steal remaining goods.

Our intent is to compare risks. The numerical values provide gross comparisons, and it’s best to pay the most attention to the largest differences. Relatively small differences may not be significant.