[unisog] Risk analysis

Stejerean, Cosmin cosmin at cti.depaul.edu
Tue Feb 21 07:41:16 GMT 2006

The formula looks interesting but the results seem flawed. If your
number one risk is a terrorist attack you must be doing an excellent job
in all other areas. Either that or you need to tweak the math a bit to
reflect a more realistic number.


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Leigh Vincent
Sent: Monday, February 20, 2006 10:48 PM
To: unisog at lists.sans.org
Subject: Re: [unisog] Risk analysis

Ok.  The calculation goes like this..........

You give each "Risk":
a value between 1 and 7 for Adequacy of Existing Controls (1 being
excellent & 7 being None)
a value between 1 and 5 for Likelihood of the Risk occurring (1 being
May never occur & 5 being Is expected to occur)
a value between 1 and 5 for Impact / Consequence (1 being Minimal to no
impact on users & 5being Total Destruction)

So for a terrorist attack we had:
Existing Controls: 7 (None)
Likeilhood: 2 (Could occur at some time)
Impact: 5 (Total Destruction of services)

Now for the maths: ( ( 7 x Existing Control) + ( 3 x Likelihood) + (4 x
Impact)) / 84

Now don't ask me how this figures were derived but they are as per the
australian Standards for Risk Management.

So our overall Risk Factor Rating was 0.9

Does that help???

>>> rudolph at usyd.edu.au 02/21/06 3:02 pm >>>
On Tue, Feb 21, 2006 at 02:18:20PM +1100, Leigh Vincent wrote:
> >From this we established the a Terrorist attack was our number one
> mainly be cause there are no existing controls.  The next few were
> things like service packs, patch updates, portable devices,
> etc etc etc. We actually have a list of 21 possible risks.
Excuse my incredulity (I am no risk analyst), but would you be able to
share the
reasoning/calculations showing that a terrorist attack was on the top
your list?
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list