## Risk Assessment

Within network security, proper risk management is a technique used to lower risks to within acceptable levels. A well-thought-out plan for network security design implements the components included in the security policy. The security policies that an organization employs use risk assessments and cost-benefit analysis to reduce security risks.

Figure 13-4 shows the three major components of risk assessment. Control refers to how you use the security policy to minimize potential risks. Severity describes the level of the risk to the organization, and probability is the likeliness that an attack against the assets will occur.

Figure 13-4 Risk Assessment Components Risk assessments should explain the following:

■ What assets to secure

■ The monetary value of the assets

■ The actual loss that would result from an attack

■ The severity and the probability that an attack against the assets will occur

■ How to use security policy to control or minimize the risks

Security costs can be justified by describing the loss of productivity during security incidents.

Generally, network systems are built with just enough security to reduce potential losses to a reasonable level. However, some organizations have higher security requirements, such as complying with SOX or HIPAA regulations, so they need to employ stronger security mechanisms.

A risk index is used to consider the risks of potential threats. The risk index is based on risk assessment components (factors):

■ Severity of loss if the asset is compromised

■ Probability of the risk actually occurring

■ Ability to control and manage the risk

One approach to determining a risk index is to give each risk factor a value from 1 (lowest) to 3 (highest). For example, a high-severity risk would have a substantial impact on the user base and/ or the entire organization. Medium-severity risks would have an effect on a single department or site. Low-severity risks would have limited impact and would be relatively straightforward to mitigate.

The risk index is calculated by multiplying the severity and probability factors and then dividing that by the control factor:

risk index = (severity factor * probability factor) / control factor

Table 13-2 shows a sample risk index calculation for a typical large corporation facing a couple of typical risks. If the risk index number calculated is high, there is more risk and thus more impact to the organization. The lower the index number calculated means that there is less risk and less impact to the organization.

 Risk Severity (S) Range 1 to 3 Probability (P) Range 1 to 3 Control Range 1 to 3 Risk Index (S * P)/ C Range .3 to 9 DoS attack lasting for 1.5 hours on the e-mail server 2 2 1 4 Breach of confidential customer lists 3 1 2 1.5