The InfoSec Blog
2Jul/11

The Question of Residual Risk value

People keep asking questions like

If the risk equation I use is Impact * Probability, when it comes to
calculating the residual risk value do I still need to consider the
impact of Loss of confidentiality, integrity and availability of the
asset afterwards ?
My understanding us that the probability value may decrease
after applying some controls to mitigate the risk,  but how does
does the impact change?

English: ISMS activities and their relationshi...

Personally I don't like the use of the generalization "Impact".   It hides details and it hides seeing where the control is being applied.   Assets are often affected by more than one threat or more than one vulnerability.  You really need to recalculate the whole thing over again after the controls have been applied - don't try for short cuts.

I'd further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/

I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/

 

Enhanced by Zemanta

Posted by antonaylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.