Many information technology (IT) decision makers assume that performing a security vulnerability assessment is the same thing as risk analysis. However, these two processes are very different. Performing a security vulnerability assessment helps you determine what the existing holes and vulnerabilities are in your systems and networks at single moment in time.

A good security vulnerability assessment service will deliver a comprehensive report that includes detailed information about what exploits and possible threats your systems and networks are vulnerable to, and will rank these exploits and threats according to their risk levels. It should also include information about the exploits and threats, specifically naming them and describing how they work, and also provide recommendations for mitigating actions.

A risk analysis, in the classical sense, is a process that an organization goes through to determine their risk exposure. Risk is the possibility that damage could happen to a business or organization. The goal of a risk analysis is to determine the probability of potential risks, in order to integrate financial objectives with security objectives.

Differentiating Scanning from Risk Analysis
There are many system and network security scanners that have the word "risk" in their product names. However, what differentiates network and system security risk assessment tools from classical risk analysis tools is whether or not the tool has the capability of calculating loss metrics and financial metrics. The most commonly used loss metric is Annualized Loss Expectancy (ALE). ALE was developed in 1979 by the National Bureau of Standards. The National Bureau of Standards was absorbed into the National Institute of Standards and Technology (NIST) in the mid-80s. Financial metrics typically used to measure loss include cost of risk mitigation (the cost of implementing safeguards), return on investment, and cost benefit analysis.

How Risk Analyis Works

The three primary steps to performing a risk analysis include:

• Identifying the risks
• Determining the impact of the threats
• Balancing the impact of the threats with safeguards

In identifying the risks, clearly it's necessary to determine what is at risk. There are three risk categories that I suggest IT decision-makers focus on in performing a risk analysis:

• Asset risks
• Mission risks
• Security risks

Assets are physical or tangible items that have a financial value associated with them. Missions are functions, jobs, or tasks that need to be performed. Security is the ability to keep safe the missions and the assets, and really is a specialized mission. However, I like to list security separately, to emphasize its importance, and how it integrates with both assets and missions.

When you determine the security risk exposure, you are determining the vulnerabilities that exist that have the potential to cripple people, data, or other assets. When you determine the mission exposure, you are determining the vulnerabilities that exist that have the potential to prevent an organization from accomplishing its chartered mission. When you determine the asset risk, you are determining the vulnerabilities that exist that have the potential to harm a business's physical or tangible assets.

Threats are what subject an organizations assets and missions to risk. When you consider threats, you need to determine the probability of their occurrence, and also the severity of how bad they will be if they occur. In order to manage threats, you need to be able to measure risks. As was noted earlier, risk is the possibility of loss, and you need to be able to assign a numerical value to that possibility to determine your risk exposure.

Probability, Severity, and Calculations
Best practices and standards have been established to calculate risk exposure. To calculate risk exposure, two variables P(L) and S(L) are used. P(L) is the probability of loss, and it is a threat frequency value. S(L) is the severity of the potential loss. By factoring these two components together, we can determine a risk exposure numeric. To summarize:

P (L) = the probability of the potential loss

S (L) = the severity of the potential loss

R (E) = the total risk exposure

P (L) x S (L) = R (E)

Typically P (L) is normalized for a particular geographic location. For example, the threat of a hurricane is much great in Florida than in Illinois. When we normalize P (L) for a particular geographic location, we use what is known as LAFE and SAFE. LAFE stands for Local Annual Frequency Estimate, and SAFE stands for Standard Annual Frequency Estimate. LAFE is typically applied to the exact location of a risk, e.g. Pensacola, Florida. SAFE is applied to a much bigger geographic area such as North America.

The reduction in value of an asset from one threatening incident is called the Single Loss Expectancy (SLE). SLE is resulting value after a threat has been applied. Another way of understanding SLE is that it is current value (after the threat has been applied) subtracted from the total cost of ownership. To summarize:

SLE = Original Total Cost of Ownership - Remaining Value

Doing the Math
Let's calculate a sample SLE and see how we turn these concepts into money. If the value of say an ERP database is $100,000, and a hacker breaks into the system and destroys 80% of it, the value has been reduced by $80,000. In this particular example, the SLE would be $80,000 calculated as follows:

$80,000 = $100,000 - $20,000

To calculate the Annual Loss Expectancy (ALE) of an organization, you calculate the individual component SLE values and multiply them by P (L). Since LAFE and SAFE are more precise ways of using P (L) values, you typically multiply SLE values by LAFE or SAFE. To summarize:

ALE = P (L) x SLE

LAFE and SAFE are types of probability values, so therefore the following equations are true:

ALE = SAFE x SLE

ALE = LAFE x SLE

Annualized Rates of Occurrence
In the risk analysis industry, LAFE and SAFE are often referred to as Annualized Rates of Occurrence (AROs). In calculating risk exposure, some experts use other types of AROs, but almost all the leading risk analysis tools use LAFE or SAFE. LAFE and SAFE are typically represented as decimal values and are rational numbers. A rational number is a number that can be expressed equivalently as a fraction. Typically SAFE values are determined, and then normalized to product LAFE values.

A threat that occurs once every 10 years would have a SAFE value of .1 since 1/10 = .1 .

Common SAFE values are listed in the below table:

Threat Frequency Values
SAFE Value	Frequency of Occurence
0.01	Once Every 100 Years
0.02	Once Every 50 Years
0.1	Once Every 10 Years
0.2	Once Every 5 Years
0.5	Once Every 2 Years
1	Once Every Year
10	10 Times a Year
20	20 Times a Year

Table 1. Threat Frequency Values

In our earlier database example, if the probability exists that a hacker will destroy 80% of a database occurs once every two years, our SLE equation is as follows:

SLE = .5 x $80,000

SLE = $40,000

$40,000 is how much this sample company can expect to lose each year. Now we have some real numbers to work with to figure out how much to spend on safeguards. If there is a way to protect this database, what the company might want to know is how much to spend on protecting it year after year. Should they spend $10,000 on an intrusion prevention system? Or should they spend $100,000 on an intrusion prevention system, a new firewall, a package to secure the TCP/IP stack, and an extra systems administrator?

How much should this company spend, and what should they spend it on to secure this database? That is the magic question that the CIO will be called upon to answer. The issue becomes more complex when SLEs for numerous assets and technologies are calculated and added up into a bigger ALE. When trying to figure out how much to spend on safeguards to mitigate the threat, you need to take into consideration the entire organization since it is possible that one firewall, or one intrusion prevention system might mitigate multiple threats and protect multiple assets.

The good news is that there some excellent tools to assist risk analysis experts and CIOs in determining the answers to these financial questions. These tools are not well known, but offer very advanced capabilities in guiding you through the risk analysis process. Unfortunately, they are not as simple to use as system and network security scanners. A comprehensive risk analysis process is time-consuming, and requires detailed financial analysis of an entire business. But if you want to know the answers to how much to spend on safeguards, which safeguards to implement, there is no better process.

The Right Tools for the Job
The three leading tools in the risk analysis market segment are RiskWatch, RiskPAC, and RiskCheck. I have examined all of these tools in depth, and they offer excellent capabilities in leading you IT decision makers through the risk analysis process. These tools are survey driven, and typically require the dedication of an expert project manager to drive the project to completion. The project manager needs to be sure that the respondents that are inputting the detailed asset, threat, and safeguard information are not skewing the values. Some respondents to the surveys these tools generate may try to skew the values to make it look like their assets are not at risk, anticipating high-risk levels with management incompetence. The dedicated project leader needs the full support of the executive management team in order to get the cooperation necessary to obtain the results of the risk analysis.

To find out more about these tools, visit the web sites of the company's that make them.

RiskWatch http://www.riskwatch.com

RiskPAC http://www.csciweb.com

RiskCheck http://www.norman.no/organization.shtml

You can naturally calculate risk analysis metrics manually. However, using the proper tool to guide you through the process will greatly increase your ability to actually generate a successful risk analysis report that everyone can understand.