Once the elements have been individually identified and evaluated, the associated risk needs to be calculated. The two primary methodologies that can be used are:
The quantitative method uses predefined formulas. The collected data is used to identify the following values:
A control is implemented to reduce a risk. More directly, the control will reduce the ARO. If the ARO was four before the control, the ARO should be less than four after the control. Then, the cost of the control is compared to the savings.
For example, a website generates revenue of $5,000 an hour. In the past two years, it has suffered two hard drive failures. Each year, one of the several hard drives in the system has failed. Each failure has resulted in about three hours of downtime. The hard drive cost was about $300. What is the SLE, ARO, and ALE?
This example doesn’t include intangible costs. For example, a customer who visited the website when it was down may never come back. The cost to get this customer back or to get another customer is an intangible cost.
The decision may be made that a hardware redundant array of independent disks (RAID) can eliminate this risk. A hardware RAID that costs $3,000 is identified. It includes several disk drives. If any single drive fails, the RAID can detect the failure and automatically recover, which means that the failure of one drive will not cause the entire system to fail. The RAID will change the ARO from 1 to 0.
Is it cost effective to implement this RAID? This determination can be made by comparing three pieces of information:
If the cost of the control is less than the ALE after the control, the cost is justified. In other words, $3,000 is being spent to save $15,000, which results in a realized savings of $12,000.
On the other hand, if the cost of the control was $50,000, the cost would not be justified based on the existing data: $50,000 would be spent to save $15,000, which puts savings in the hole. If the cost of the control is close to the ALE after the control, the return on investment can also be calculated over several years. The ALE is also impacted by the EF and the AV because both factors determine the SLE. The SLE multiplied by the ARO equals the ALE.
The mean time between failures (MTBF) gives a reliability estimate for hard drives. RAID hard drives often have a higher MTBF than standard hard drives. For simplicity, the ALE after control calculation assumes all the drives have the same MTBF.
In this scenario, the actual costs aren’t available or aren’t easy to calculate. Instead, a qualitative methodology can be used. A qualitative methodology uses the opinions of experts to determine two primary data points:
The probability and impact allow the risks to be ranked. This ranking allows prioritizing the most and least important risks.
In this example, buffer overflow attacks, SQL injection attacks, and web defacing for a web server are being evaluated. Experts have provided the data shown in TABLE 6-2, based on the current controls protecting the server.
Each of these risks can be prioritized:
The information in Table 6-2 clearly shows that the highest risk based on current controls is from SQL injection attacks. Now, controls to mitigate this risk can be identified.
Then, the experts can be queried to identify the controls that will provide the best gain. A similar survey can be used that identifies the probability and impact of a risk after implementation of a control.