Quantify Damage (Impact)
Step 8 in the recommended risk assessment process is "Quantify damage". This page expands on that step.
It is important to consider the business use of the system in question and its criticality to the business function when quantifying the risk impact. It is important to consider the need for access to the data along with the need for data confidentiality and integrity along with the potential damage if these things are compromised.
Here are some damage categories. The choice of damage categories are up to the organization.
- Critical - high damage (other descriptions may include crucial, serious, severe, essential) - Death or critical loss that would seriously disrupt the business
- Important - medium damage - Injury or loss that disrupts the business.
- Standard - low damage - Minor injury or temporary loss of service that has minimal affect on business operations.
- Common - no to minimal damage - Temporary service loss or loss of data that requires minor administrative action to remedy.
- Loss, unauthorized modification, or destruction of data.
- Disclosure of sensitive information.
- Accidental modification or destruction of data.
- Loss or degredation of service.
- Loss of life
- Destruction of property
- Loss or damage to equipment
- Loss of business opportunity
- Loss of sensitive information
- Loss of money
- Loss of revenue due to the incident such as loss of sales.
- Loss of productivity
- Loss of staff time to fix the problem.
- Damage to reputation
To calculate cost per incident, instead of using an exact asset value for equipment cost, I would rather calculate the damage done per incident including all costs such as damage to equipment, and loss of productivity and use that as the asset value. Types of losses per incident should be quantified and used to calculate the total loss per incident.
These examples are not intended to be complete but just to give a feel for damage estimates. These values do not reflect actual probable loss and in no way indicate one security control or vulnerability is more important than another.
|Threat||Likelihood||Objects threat is against||Total probability||Control Reduction||Damage|
|Workstation hard drive failure||10% per year||400 workstations||40 per year||Backups||$100 for drive + $200 productivity loss|
|Server hard drive failure||10% per year||10 servers||1 per year||RAID drives and Backups||$300 for drive. $200 to restore operation|
|Virus incidents||15 percent per year||400||60 per year||User education, block email dangerous attachments||$100 to fix, $100 loss of productivity and 50% chance of loss of data valued at $500|
|Server hack||7 percent per year||10 servers||70%||Faster updates, additional monitoring, intrusion detection/prevention SW, stronger auditing, incident response||$500 to fix + 50% chance loss of data valued at $5000|
|Theft of laptop||5% per year||30||1.5 per year||Encrypt data on laptops||$2000 loss of equipment + 50% chance loss of data valued at $1000|
|Loss of data confidentiality through wireless sniffing||1% per year||1 network||1%||Limit wireless use to approved technologies through strong policies.||30% chance loss of data valued at $1000|