Threat Analysis

In manual approaches and some automated tools, the analyst must determine what threats to consider in a particular risk assessment. Since there is not, at present, a standard threat population and readily available threat statistics, this task can require a considerable research effort. Of even greater concern is the possibility that a significant local threat could be overlooked and associated risks inadvertently accepted. Worse, it is possible that a significant threat is intentionally disregarded.

The best automated tools currently available include a well-researched threat population and associated statistics. Using one of these tools virtually assures that no relevant threat is overlooked, and associated risks are accepted as a consequence. If, however, a determination has been made not to use one of these leading automated tools and instead to do the threat analysis independently, there are good sources for a number of threats, particularly for all natural disasters, fire, and crime (oddly enough, not so much for computer crime), even falling aircraft. Also, the console log is an excellent source for in-house experience of system development, maintenance, operations, and other events that can be converted into useful threat event statistics with a little tedious review. Finally, in-house physical and logical access logs — assuming such are maintained — can be a good source of related threat event data.

But, gathering this information independently, even for the experienced risk analyst, is no trivial task. Weeks, if not months, of research and calculation will be required, and, without validation, results may be less than credible. For those determined to proceed independently, the following list of sources, in addition to in-house sources previously mentioned, will be useful:

Fire — National Fire Protection Association (NFPA)

Flood, all categories — National Oceanic and Atmospheric Administration (NOAA) and local Flood Control Districts

Tornado — NOAA

Hurricane — NOAA and local Flood Control Districts

Windstorms — NOAA

Snow — NOAA

Icing — NOAA

Earthquakes — U.S. Geological Survey (USGS) and local university geology departments

Sinkholes — lUSGS and local university geology departments

Crime — FBI and local law enforcement statistics, and your own in-house crime experience, if any

Hardware failures — vendor statistics and in-house records

Until an independent Threats Research Center is established, it will be necessary to rely on automated risk assessment tools, or vendors, or your own research for a good threat population and associated statistics.

Asset Identification and Valuation

While all assets may be valued qualitatively, such an approach is useless if there is a need to make well-founded budgetary decisions. Therefore, this discussion of asset identification and valuation will assume a need for the application of monetary valuation. There are two general categories of assets relevant to the assessment of risk in the IT environment: tangible assets, and intangible assets.

Tangible Assets

The tangible assets include the IT facilities, hardware, media, supplies, documentation, and IT staff budgets that support the storage, processing, and delivery of information to the user community. The value of these assets is readily determined, typically, in terms of the cost of replacing them. If any of these are leased, of course, the replacement cost may be nil, depending on the terms of the lease.

Sources for establishing these values are readily found in the associated asset management groups, i.e., facilities management for replacement value of the facilities, hardware management for the replacement value for the hardware — from CPUs to controllers, routers and cabling, annual IT staff budgets for IT staff, etc.

Intangible Assets

The intangible assets, which might be better characterized as Information Assets, are comprised of two basic categories: replacement costs for data and software, and the value of the confidentiality, integrity, and availability of information.

Note that software, as an intellectual property with no physical presence beyond the media upon which it resides, is regarded as an intangible asset.

Replacement Costs. Replacement costs for data is not usually a complicated task unless source documents don’t exist or are not backed up reliably at a secure off-site location. The bottom line is that “x” amount of data represents “y” key strokes — a time-consuming, but readily measurable manual key entry process.

Conceivably, source documents can now be electronically “scanned” to recover lost electronically stored data. Clearly, scanning is a more efficient process, but it is still time-consuming. However, if neither source documents nor off-site backups exist, actual replacement may become virtually impossible, and the organization faces the question of whether such a condition can be tolerated. If, in the course of the assessment, this condition is found, the real issue is that the information is no longer available, and a determination must be made as to whether such a condition can be overcome without bankrupting the private sector organization or irrevocably compromising a government mission.