1. BÜROTEX GmbH
Vishal Sharma
Information Security
Consultant/Solution Developer

2. RISK
It is the uncertainty of outcome whether
positive opportunity or negative threat.
Some commonly Known terms:
 Asset : It is something which should be protected
 Asset Valuation: It is a value assigned to an asset
based on actual cost and nonmonetary expenses

3.  Threats : Any occurrence that could cause an undesirable
or unwanted outcome for an organization for a specific threat
 Vulnerability: The absence of weakness of a safeguard
or countermeasure
 Exposure: It is being susceptible to asset loss because of
a threat

4.  Safeguard: A safeguard or a countermeasure, is
anything that removes a vulnerability
 Attack: An exploitation of a vulnerability by a threat
agent
 Breach : The occurrence of a security mechanism being
bypassed

5. Threats
• Exploits
Assets Vulnerabilities
• Whch are • Which
endangered
results in
by
Safeguard
Exposure
• Which
• Which is
protects
Risk
• Which is
mitigated
by

6. Factors for Asset Valuation:
 Purchase Cost
 Development Cost
 Administrative Cost
 Maintaining or Upkeep Cost
 Cost in Acquiring asset
 Cost to protect or sustain asset
 Value to Owners and users

7.  Value to Competitors
 Intellectual property or equity Value
 Market valuation
 Replacement Cost
 Productivity enhancement or degradation
 Operational cost of asset presence and Loss
 Liability of asset loss
 Usefulness

8. Next logical step is to calculate Threats:
 Viruses
 Cascade errors and Dependency Faults
 Criminal activities by authorized users
 Movements
 Intentional Attacks
 Reorganization

9.  Authorized user illness
 Hackers
 User errors
 Natural Disasters
 Physical Damage
 Misuse of data, resource, or services
 Changes or compromises to data
classification or security policies
 Government, political, or military intrusions
or restrictions

10.  Processing errors, buffer overflows
 Personal privilege abuse
 Temperature extremes
 Energy anomalies
 Loss of data
 Information Warfare
 Bankruptcy or alteration/ interruption of
business activity

11.  Coding/programming errors
 Intruders
 Environmental factors
 Equipment Failures
 Physical Theft
 Social Engineering

12. Risk Analysis
 Quantitative : It results in Concrete Probability
Percentage
 Qualitative: This is more scenario based, it requires:
Brainstorming
Delphi Technique

13.  Story boarding
 Focus groups
 Surveys
 Questionnaires
 Checklists
 One-on-one Meetings
 Interviews

14. Quantative Analysis, major steps involved:
 Countermeasures for each threat
 Calculate the changes to Aro and ALE based on
applied counter measure
 Perform a cost benefit analysis of each counter
measure for each asset

15.  AV : Inventory assets and sign a Value
 EF : Calculate exposure factors, possible threat
of each individual asset
 SLE: Single Loss Expectancy,
 ARO: Annualized rate of occurrence
 ALE: Annualized Loss expectancy

16. Cost Functions
 Exposure factors : % loss, if specific asset were
violated by a realized risk
 SLE : AV*EF
 ARO : It could be derived from historical records,
statistical analysis or guess work. Basically it‘s a
probability determination
 ALE : SLE*ARO

17.  ACS : Annual cost of safeguard, € per year, which
involves following factors:
Cost of purchase, development and licensing
Cost of implementation and customization
Cost of annual operation, maintenance, administration and
so on
Cost of annual repairs and upgrades

18. Productivity improvement or loss
Changes to environment
Cost of testing and evaluation
 Value or benefit of a safe guard: =(ALE1-ALE2) – ACS

19. Note :
Value of safeguard to the Company =
(ALE before Safegaurd –
ALE after implementing safeguard) –
(Annual cost of Safeguard)

20. Thank You