Information Security Risk Assessment Basics
Value of Assets
The value of assets can be classified as
- High - Extremely grave injury accrues to organization if the information is compromised; could cause loss of life, imprisonment, major financial loss, or require legal action for correction.
- Medium - Serious injury accrues to organization if the information is compromised; could cause significnt financial loss or require legal action for correction.
- Low - Injury accrues to organization if the information is compromised; would cause only minor financial loss or require only administrative action for correction.
With this definition of value, Risk is defined as Value times Probability of Failure
Probability of Failure
There are 5 levels of control effectiveness (inverse of probability failure):
- Control objective documented in a security policy (lowest)
- Security control documented as procedures
- Procedures have been implemented
- Procedures and security controls are tested and reviewed
- Procedures and security controls are fully integrated into a comprehensive program (strongest)
Last modified January 17, 2020