[unisog] Risk analysis

Russell Fulton r.fulton at auckland.ac.nz
Wed Feb 22 01:00:48 GMT 2006



Valdis.Kletnieks at vt.edu wrote:

> The point is that you're multiplying by a number between 1 and 5, and the
> threats at 5 are *much* more likely to actually happen than the ones at 1 and 2.
> When you multiply by 1 and 2 (rather than 0.00004 and 0.005 or similar), you
> end up artificially inflating the apparent risk of low-risk threats, resulting
> in the strange numbers you get....
>
All this comes back to what I said in my earlier post.  If you use these
sort of simplistic methods you *must* apply sanity checks on the results.

In my experience the most valuable part of the exercise is actually
performing the process since you might find some things that you had not
previously considered.  The results are to be taken with large amounts
of your favourite condiment.

Valdis has pointed out one very obvious weakness in the process. In fact
 none of the other scales are linear!  Loss of a single server = 2, loss
of whole data centre = 5 ?????

Brad's point about other controls outside your organisation is also
another thing that is not catered in these simplistic models.

Russell.


More information about the unisog mailing list