Information Security Risk Assessment Toolkit by Mark Talabis & Jason Martin

Information Security Risk Assessment Toolkit by Mark Talabis & Jason Martin

Author:Mark Talabis & Jason Martin
Language: eng
Format: epub
ISBN: 9781597499750
Publisher: Elsevier Inc.
Published: 2012-10-23T16:00:00+00:00

Chapter 4

Information Security Risk Assessment: Data Analysis

Information in this chapter:

• Introduction

• Compiling Observations from Organizational Risk Documents

• Preparation of Threat and Vulnerability Catalogs

• Overview of the System Risk Computation

• Designing the Impact Analysis Scheme

• Designing the Control Analysis Scheme

• Designing the Likelihood Analysis Scheme

• Putting it Together and the Final Risk Score


In the scope of the overall information security risk assessment project, data analysis is the phase where we start trying to make sense of the collected data. In this phase our focus is on consolidating all of the information that we have gathered through the previous data collection activities. We will then display and summarize the information collected into a form that will allow us to make conclusions, based on the data.

At this point, the assessor will have likely collected quite a bit of data stored in various containers. Depending on the container selected, these could be spreadsheets, databases or even an application containing all the data from your interviews, the application survey, the control survey, and the various security documents and statistics collected. Various techniques such as formulas, decision matrices, and computations will then be applied to this data in order to give the assessor a view that will facilitate the development of findings and conclusions which are ultimately the product of the actual risk analysis. Thus, this phase can be considered as a mid-point between raw data collection and extrapolation of the actual findings and conclusions derived from the data.

The risk assessment framework that the assessor has adopted will heavily influence the techniques involved in data analysis. The various risk assessment frameworks such as OCTAVE, NIST FAIR, and ISO provide various formulas and decision matrices, some more prescriptive than others, to allow for the computation of risk. The results of these computations are the final product for the data analysis phase and will play an important part in our analysis of overall risk. In this chapter, we will be leveraging guidance from the NIST framework to compute for risk since it is one of the most flexible; however, we will provide some discussion about how other frameworks approach this step. While we will be leveraging guidance from NIST to illustrate the process our primary objective is to guide you through a method that will allow you to apply our approach to any given risk assessment framework and should not be read as a “how to” on executing a full NIST aligned assessment.


Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.