[unisog] Risk analysis

Brad Judy judy at colorado.edu
Tue Feb 21 23:46:15 GMT 2006

I wanted to point out another flaw in this calculation for the purposes of
discourse on accurate risk assessment.  While an IT organization might not
have any controls in place specific to terrorist attack, there are probably
applicable controls in place in two different ways.  

First, controls for other events, like a flood or fire, are likely
applicable because they (hopefully) consider loss of a building and/or
personnel.  We have seen loss of an entire building several times in higher
education and have even seen the loss of essentially an entire campus (e.g.
this past year's hurricanes and flooding in New Orleans).  

Second, there are controls in place to mitigate terrorist attack from other
organizations like national and regional governments and law enforcement
agencies.  Depending on the campus, there may even be local controls in
place: our campus police are State of Colorado police officers and are
trained for a wide variety of situations.  Not all controls must exist
within your organization.  

These considerations, along with comments regarding more appropriate
likelihood calculations, should lead to a more accurate determination of

Brad Judy

University of Colorado at Boulder

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Leigh Vincent
> Sent: Monday, February 20, 2006 9:48 PM
> To: unisog at lists.sans.org
> Subject: Re: [unisog] Risk analysis
> Ok.  The calculation goes like this..........
> You give each "Risk":
> a value between 1 and 7 for Adequacy of Existing Controls (1 
> being excellent & 7 being None) a value between 1 and 5 for 
> Likelihood of the Risk occurring (1 being May never occur & 5 
> being Is expected to occur) a value between 1 and 5 for 
> Impact / Consequence (1 being Minimal to no impact on users & 
> 5being Total Destruction)
> So for a terrorist attack we had:
> Existing Controls: 7 (None)
> Likeilhood: 2 (Could occur at some time)
> Impact: 5 (Total Destruction of services)
> Now for the maths: ( ( 7 x Existing Control) + ( 3 x 
> Likelihood) + (4 x
> Impact)) / 84
> Now don't ask me how this figures were derived but they are 
> as per the australian Standards for Risk Management.
> So our overall Risk Factor Rating was 0.9
> Does that help???
> >>> rudolph at usyd.edu.au 02/21/06 3:02 pm >>>
> On Tue, Feb 21, 2006 at 02:18:20PM +1100, Leigh Vincent wrote:
> > >From this we established the a Terrorist attack was our number one
> risk
> > mainly be cause there are no existing controls.  The next few were 
> > things like service packs, patch updates, portable devices,
> ignorance
> > etc etc etc. We actually have a list of 21 possible risks.
> Excuse my incredulity (I am no risk analyst), but would you 
> be able to share the reasoning/calculations showing that a 
> terrorist attack was on the top of your list?
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list