This week’s blog is Part 2 of 5 parts of a series.

I know it is time consuming to do the analysis for building a business case.   I’ve seen the frustration on the faces of security types who present business cases for their budget and management gives them a rough time.

Hopefully these articles will be helpful.

The next logical step would be to associate an actual cost to each event. Various methods can be used either separately or together with the implementation of an averaging metric to estimate the cost per occurrence of an event.  These methods may include:

1. Soliciting expert advice from financial management, lawyers, and risk management consultants.

2. Conducting a straw poll of stakeholders, each estimating the downside cost of an event.

3. Participating in a fact gathering survey of similar businesses, each of which provides factual and straw poll estimates of the cost of an event.

4. Purchasing statistical information from industry experts regarding the cost of an event.

5. Obtaining statistical information from industry associations about the cost of an event experienced by their membership.

Using a similar methodology, the next step is to determine the likelihood of an event occurring.  The most useful ways of expressing likelihood is in % chance of an event occurring in any one year.

However, any likelihood estimate should also be adjusted to account for changes in security environment.  There are typically evolving waves of new threats that may affect likelihood of occurrence, such as these previous waves:

1. Viruses

2. Malware of all sorts

3. DDOS

4. Identity Theft

The likelihood estimate can then be used to:

1. Qualitatively express cost vs. likelihood as in Exhibit 1 – Potential Cost vs. % Probability of Occurrence.

2. Calculate the quantitative Annual Loss Expectancy.

Exhibit 1 – Potential Cost vs. Probability of Occurrence (1)

This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

Obviously want to prioritize the mitigation steps to dealing with high risk / high cost situations first.

Annual Loss Expectancy (ALE) (2)

The step from qualitative to quantitative risk analysis logically occurs at this point, where the team evaluating risk triages the results of Exhibit 1 in order to decide upon those risks where they intend to focus.

The potential cost of those risks can be determined by calculating their Annual Loss Expectancy.  The annual loss expectancy is the annualized estimated cost for the occurrence of any type of event.  This number is useful for comparison with the annual cost of mitigation.  ALE for an event is calculated by multiplying the previously determined of the cost of the event and the chance of its occurrence.

Annual loss expectancy = cost of event x chance of occurrence

Next week I will discuss the ins and outs of calculating the cost of minimizing risk and how to present this to the executives.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance

This entry was posted on Thursday, February 11th, 2010 at 3:53 pm and is filed under Information Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.