IT Risk Calculation

If you would like to stay in touch sign up for our Newletter below!

Newsletter

Lets take a look at some Sample IT Risk Calculations

You could calculate your Risk for every IT control, in fact this Risk calculation is likely to be a significant part of your business case, as it will allow you to calculate the Return of Investment (ROI) you are likely to achieve by implementing the new Countermeasure; however we can also complete an Enterprise Risk calculation by using industry figures for IT Control Implementation weaknesses.

We know, from our previous discussion around Threats, that all organisations are under a constant Threat, that is to say, Threat = 100%. We also know by the nature of the evolving Threat, that no Countermeasure is going to be 100% effective, 100% of the time, our best strategy being to adopt a Defence in Depth strategy. We can therefore conclude that a range of organisations will in fact be breached, those with strong controls systems and those with weaknesses in their control systems.

If we evaluate those organisations that have been breached and calculate the maturity of their control systems we can determine an industry average. Fortunately a significant amount of this work has been completed for us by Verizon, with their Annual Verizon Breach Report.

The breach report looks at a number of organisations across the globe and assesses how difficult it was to compromise their IT Control Systems when they were breached, below is their conclusion:

Difficulty to Compromise IT Controls

Very Low 2%

Low 65%

Moderate 24%

High 1%

Unknown 8%

The definition of each level is below:

Very Low: no special skills or resources required. The average user could have breached this environment.

Low: basic methods, no customization, and/or low resources required. Automated tools and scripts they are easily available on the Internet. Hackers that are often referred to as “Script Kiddies”.

Moderate: skilled techniques, some customization, and/or significant resources required. This is what we expect the typical dedicated hacker to be capable of.

High: Advanced skills, significant customizations, and/or extensive resources required. More typical of large Hacking communities that make a living with their nefarious activities, and/or a government or large organisation sponsored attack.

From the report it is clear that the average organisations IT Controls can be compromised by “Script Kiddies” and in 91% of the cases can be compromised by a typical Hacker.

If we plug these percentages in to our IT Risk formula we can calculate the average IT Risk of an average organisation.

Let’s assume the organisation has implemented all of the SANS top twenty security controls and therefore has a Enterprise Countermeasure score of 21, lets also assume we have calculated out Valuation at Risk as being $10,000,000, we know already that the Threat is constant, making our Threat Ratio 100%.

Valuation at Risk = $10,000,000{VaR}

Threat to the Organisation = 100%{t}

Counter Measure Score = 21 {cms}

If we want to calculate our IT Risk to “Script Kiddies”, based on the information we have from the Verizon Breach report, we would use a Vulnerability Ratio of 67%, as in 67% of the Verizon cases the IT Controls were Vulnerable to a Low to Very Low Difficulty attack. Hence we have the following IT Risk:

Vulnerabilities = 67%{Vu}

RISK = (( 67%{Vu} x 100%{t}) / 21 {cms} ) * $10,000,000{VaR}

RISK = $319,048

If we want to calculate our IT Risk to the average Hackers, based on the information we have from the Verizon Breach report, we would use a Vulnerability Ratio of 91%, as in 91% of the Verizon cases the IT Controls were Vulnerable to a Moderate, Low or Very Low Difficulty attack. Hence we have the following IT Risk:

Vulnerabilities = 91%{Vu}

RISK = (( 91%{Vu} x 100%{t}) / 21 {cms} ) * $10,000,000{VaR}

RISK = $433,333

If you only implemented ten of the top twenty SANS controls, your Enterprise IT Risk could be calculated as the following:

RISK = (( 91%{Vu} x 100%{t}) / 11 {cms} ) * $10,000,000{VaR}

RISK = $872,273

If you only implemented one of the top twenty SANS controls, your Enterprise IT Risk could be calculated as the following:

RISK = (( 91%{Vu} x 100%{t}) / 2 {cms} ) * $10,000,000{VaR}

RISK = $4,550,000

What this demonstrates is that as you add more IT Controls to your environment you achieve a diminishing Return on Investment (ROI). This is to be expected, your frontline defences such as Firewalls, Malware tools and Security Configuration tools are likely to achieve your highest ROI as they close the biggest gaps in your security. As you add in extra tools they close smaller and smaller gaps in your defences the tools provide less and less ROI.

| IT Risk Management | IT Risk Measurement | IT Risk Formula | IT Risk Calculations |


Please read our "Terms" before making a comment.

TELL US WHAT YOU THINK!!
blog comments powered by Disqus
To The Top