Risk analysis methods and quantitative infosec tools
Damage to the security of an information system is the numerical value of damage in monetary terms caused to the activities of an enterprise. As a result of the implementation of security threats, taking into account the possible consequences of violation of confidentiality, integrity and availability of information. Mathematically, the damage to the security of an organization’s information system is the product of the risk of an event. This event affects Information Security by the cost of information processed in the information system. Hence, need of moderns risk analysis methods and tools is mandatory.
Quantitative Risk analysis methods
Quantitative methods for analyzing risks affecting the information system of an enterprise are:
- Method of statistical analysis;
- Method of expert assessments;
- Analytical method;
- Method of analogues.
Statistical methods of risk analysis
These methods consist in the accumulation of statistical data on the implementation of certain information threats and subsequent monetary losses that took place at this or a similar enterprise. In order to determine the likelihood of incidents and the amount of possible damage. The magnitude, or degree, of risk is measured in this case by two indicators: the average and the variation of the possible result.
Expert methods of risk analysis
Expert methods differ from statistical methods in how they collect the input information to build a risk model. It is assumed that the collection and analysis of statistical data is carried out by specialists with all the necessary knowledge. It is believed that expert assessments are based on taking into account all risk factors and to the greatest extent take into account the specifics of a particular environment.
Analytical methods for risk analysis
Analytical methods for constructing the risk curve are the most complex, available only to professionals. These methods are most often used to assess risk at the level of business processes. Typically, analytical methods are based on a sensitivity analysis of the selected model.
It consists of these series of steps:
- Selection of a key economic indicator by which sensitivity is assessed (internal rate of return, net present value, etc.);
- Choice of influencing factors (loss of confidentiality, integrity or availability of a resource, etc.);
- Calculation of variations in the key indicator at different stages of the project, depending on the magnitude of the influencing factors.
- High sensitivity corresponds to a high degree of risk, and, conversely, if the sensitivity of the key indicator to fluctuations in the destabilizing factor is insignificant, then this as a rule indicates a low degree of risk.
However, this method has serious methodological flaws in that it does not take into account the possibilities and probabilities of other alternative scenarios.
After identifying information risks that an enterprise may face in the process of production activities, identifying destabilizing factors affecting the level of risk and conducting a risk assessment, as well as identifying potential losses associated with them. The enterprise is tasked with developing a protection program that reduces the level of risk to an acceptable value.
The analog method is used when the application of other methods does not give results. A base of similar objects is built, common connections are determined. The results are transferred to the object under study.
The advantages of the qualitative assessment method are that it allows you to identify the main types of threats that affect the information system of the enterprise. The advantages of this method are that at the initial stages of project implementation, you can determine the possible risks that will accompany the project, and decide whether to implement the project or abandon it.
As a result of the analysis, the project manager receives information about the threats for which it makes sense to conduct a quantitative risk analysis. That is only those risks are assessed that are present in the implementation of a specific task.