9/4/2023 0 Comments Risk probability and effect![]() ![]() Instead, if you really need to do this calculation at all then it might make more sense to think of it as t(p x i) to graph the effect of time on both p and i. Mathematically, multiplication takes precedence over addition, so the impact of t as presented would only cause a monotonic increase. Unless the idea is to somehow increase your risk management controls in lock-step with this unexplained time-related variable, I don't understand the utility value represented by graphing risk as a linear function of time.įurthermore, (p x i) + t would not really change the calculation much unless you somehow represent t as a very large number. In any case, you may want to amortize the risk or impact over a different window than yearly, perhaps replacing ARO with the length of your project/program and just rolling in any increasing AV or EF values by treating the SLE as a range or statistical mean. Still, I suspect that the right way to look at that is either to consider the Asset Value (AV) as increasing over time, or the Exposure Factor growing higher. There may be some circumstances when a given risk increases as you get get closer to some target date, such as the risk of a movie being pirated increasing during the pre-release period between post-production and theatrical release. The estimated amortization of the risk over your time window, defined as ALE = SLE x ARO. The number of loss events you estimate you will experience in any given year. ![]() In other words, this is a business impact analysis (usually expressed as a dollar amount) for an incident. The estimated financial cost of a realized risk, where SLE = AV x EF. each customer is worth only $250/year in revenue but the regulatory penalty is $50,000 per customer record compromised). you lose 20% of your customers) or more than AV when there are stiff regulatory penalties (e.g. This multiplier could be a fraction of the AV (e.g. This is generally a multiplier representing the impact on the value of an asset from an actualized risk. In cybersecurity in particular, you have some standard risk metrics such as: I've never seen the particular formula you're referencing, as quantitative risk analysis is most useful when you look at it over a fixed or sliding time window. Otherwise, I'd push for a more standardized and holistic approach to risk management that matches the organization's approach to overall program/project risk and aligns with their budget and cadence for implementing controls. While there may be a reason for it, it's likely very organization-specific, and you may want to do a five-why's to understand the goal. The formula doesn't look like a standard risk management formula. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |