72
Chapter 2
■
Personnel Security and Risk Management Concepts
Numerous factors are involved in calculating the value of a countermeasure:
■
Cost of purchase, development, and licensing
■
Cost of implementation
and customization
■
Cost of annual operation, maintenance, administration, and so on
■
Cost of
annual repairs and upgrades
■
Productivity improvement or loss
■
Changes to environment
■
Cost of testing and evaluation
Once you know the potential cost of a safeguard, it is then possible to evaluate the benefit
of that safeguard if applied to an infrastructure. As mentioned earlier,
the annual costs of
safeguards should not exceed the expected annual cost of asset loss.
Calculating Safeguard Cost/Benefit
One of the final computations in this process is the
cost/benefit calculation
or
cost/benefit analysis
to determine whether a safeguard actually
improves security without costing too much. To make the determination of whether the
safeguard is financially equitable, use the following formula:
ALE before safeguard – ALE after implementing the safeguard –
annual cost of
safeguard (ACS) = value of the safeguard to the company
If the result is negative, the safeguard is not a financially responsible choice. If the result is
positive, then that value is the annual savings your organization may reap by deploying the
safeguard because the rate of occurrence is not a guarantee of occurrence.
The annual savings or loss from a safeguard should not be
the only consideration when
evaluating safeguards. You should also consider the issues of legal responsibility and pru-
dent due care. In some cases, it makes more sense to lose money in the deployment of a
safeguard than to risk legal liability in the event of an asset disclosure or loss.
In review, to perform the cost/benefit analysis of a safeguard,
you must calculate the fol-
lowing three elements:
■
The pre-countermeasure ALE for an asset-and-threat pairing
■
The post-countermeasure ALE for an asset-and-threat pairing
■
The ACS (annual cost of the safeguard)
With those elements, you can finally obtain a value for the cost/benefit formula for this
specific safeguard against a specific risk against a specific asset:
(pre-countermeasure ALE – post-countermeasure ALE) – ACS
Or, even more simply:
(ALE1 – ALE2) – ACS
The countermeasure with the greatest resulting value from this cost/benefit
formula
makes the most economic sense to deploy against the specific asset-and-threat pairing.
Table 2.1 illustrates the various formulas associated with quantitative risk analysis.
Understand and Apply Risk Management Concepts
Do'stlaringiz bilan baham: