In order to calculate the risks for a company
properly, you should use the following formula; SLE x ARO = ALE. I will start by explaining what each acronym
is for, SLE (single loss expectancy) which represents how much the company
could expect to lose at any one point in time.
SLE can be divided into two portions, AV (asset value) and EF (exposure
factor). ARO (annualized rate of
occurrence) is the possibility of which an event could happen within the next
year by checking the history of the company.
ALE (annual loss expectancy) this measures the amount a company could
expect to lose within a year's time.
Once you have been able to calculate the possible risks for a company it
then allows you to be able to plan accordingly.
For example, if a small company that generates
$5,000 a day, did not have any backup system in place on their server and they
were suddenly infected by a virus that damaged all their data. The likelihood of a virus infecting the
server within a year was estimated about 0.15 percent. Every piece of the data loss could be
recreated within 6 hours, for a cost of $1,000 the formula would be. The SLE would be $31,000 ($5,000 x 6 + $1,000),
and the ARO is 0.15. Therefore, the ALE
would be $4,650.
After a risk assessment, has been completed,
there are a total of five probable actions you can take. The first being risk avoidance, which would
involve avoiding any possible actions that could be associated with the risk at
hand. The second is risk transference,
which is basically purchasing an insurance plan to help with the cost if it
were to happen. The third is risk mitigation;
this would be taking the necessary actions to reduce the possibility of
risk.
The fourth is risk deterrence, which would
require gathering information about the attacker and acting against them such
as policies. The fifth is risk
acceptance, which is a choice the company must come to decision when the cost
is too high to implement any others and therefore accepts any possible risk or
damage.
References:
References:
Dulaney, E., & Easttom, C. (2014). CompTIA
Security+ Study Guide, Sixth Edition. Indianapolis: John Wiley & Sons,.
Grimes, R. A. (2013, 03 19). The 5 cloud risks you have
to stop ignoring. Retrieved 11 13, 2016, from Info World:
http://www.infoworld.com/article/2614369/security/the-5-cloud-risks-you-have-to-stop-ignoring.html
Guide for Conducting Risk Assessments. (2012,
September). National Institute of Standard and Technology. Gaithersburg,
MD, USA: U.S. Department of Commerce.
Perspectives, I. (2015, 03 09). Virtualization and
Security: Overcoming the Risks. Retrieved 11 13, 2016, from Data Center
Knowledge: http://www.datacenterknowledge.com/archives/2015/03/09/virtualization-security-overcoming-risks/
