Handbook of Information Security Management:Risk Management and Business Continuity Planning

Previous Table of Contents Next


Safeguard Cost/Benefit Analysis

The risk assessment is now almost complete, though this final set of calculations is, once again, not trivial. In previous steps, the expected value of risk mitigation — the Annualized Loss Expectancy (ALE) — is conservatively represented individually, safeguard by safeguard, and collectively. The collective safeguard cost/benefit is represented first, threat by threat with applicable selected safeguards; and, second, showing the overall integrated risk for all threats with all selected safeguards applied. This may be illustrated as follows:

Safeguard1 --> Vulnerability1-->n --> Threat1-->n

One safeguard may mitigate one or more vulnerabilities to one or more threats. A generalization of each of the three levels of calculation is represented below:

1.  For the single safeguard — A single safeguard may act to reduce risk for a number of threats. For example, a contingency plan will contain the loss for disasters by facilitating a timely recovery. The necessary calculation includes the integration of all affected threats’ risk models before the safeguard is applied less their integration after the safeguard is applied to define the gross risk reduction benefit. Finally, subtract the safeguard’s average annual cost to derive the net annual benefit.


where:
RB(T) = the risk model for threats1-nbefore the safeguard is applied
RA(T) = the risk model for threats1-nafter the safeguard is applied
GRRB = Gross Risk Reduction Benefit
NRRB = Net Risk Reduction Benefit
SGAAC = Safeguard Average Annual Cost

This information is useful in determining whether individual safeguards are cost effective. If the net risk reduction benefit is negative, the benefit is negative, i.e., not cost effective.
2.  For the single threat — Any number of safeguards may act to reduce risk for any number of threats. It is useful to determine, for each threat, how much the risk for that threat was reduced by the collective population of safeguards selected that act to reduce the risk for the threat. Recognize at the same time that one or more of these safeguards may act as well to reduce the risk for one or more other threats.

[(AALEB - AALEA = GRRB) -SGAACSG1-n] = NRRB


where:
AALEB = Average Annual Loss Expectancy before safeguards
AALEA = Average Annual Loss Expectancy after safeguards

In this case, NRRB refers to the combined benefit of the collective population of safeguards selected for a specific threat. This process should be executed for each threat addressed. Still, these two processes alone should not be regarded as definitive decision support information. There remains the very real condition that the collective population of safeguards could reduce risk very effectively for one major threat while having only a minor risk-reducing effect for a number of other threats relative to their collective SGAAC. In other words, if looked at out of context, the selected safeguards could appear, for those marginally affected risks, to be cost prohibitive — their costs may exceed their benefit for those threats. Therefore, the next process is essential to an objective assessment of the selected safeguards overall benefits.
3.  For all threats — The integration of all individual threat risk models for before selected safeguards are applied and for after selected safeguards are applied shows the gross risk reduction benefit for the collective population of selected safeguards as a whole. Subtract the average annual cost of the selected safeguards, and the net risk reduction benefit as a whole is established. This calculation will generate a single risk model that accurately represents the combined effect of all selected safeguards in reducing risk for the array of affected threats. In other words, an executive summary of the expected results of proposed risk reduction measures is generated.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.