The Question of Residual Risk value
People keep asking questions like
If the risk equation I use is Impact * Probability, when it comes to calculating the residual risk value do I still need to consider the impact of Loss of confidentiality, integrity and availability of the asset afterwards ? My understanding us that the probability value may decrease after applying some controls to mitigate the risk, but how does does the impact change?
Personally I don't like the use of the generalization "Impact". It hides details and it hides seeing where the control is being applied. Assets are often affected by more than one threat or more than one vulnerability. You really need to recalculate the whole thing over again after the controls have been applied - don't try for short cuts.
I'd further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/
Related articles
- Planning means planning for success and for not-success (herdingcats.typepad.com)
Risk Models that hide important information
Some people seem to be making life difficult for themselves with risk models such as "Impact * Probability" and as such have lead themselves into all manner of imponderable ... since this model hides essential details.
I discuss the CLASSICAL risk equation in my blog
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using "impact".
Any asset is going to be affected by many
- threats
- vulnerabilities
- controls
Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.
Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.
As such, the CLASSICAL risk equation can then be viewed as addressing residual risk - the probability AFTER applying the controls.