Analyzing a Simple Scenario

We’ve covered a lot of ground, and it can be difficult to pull all of these concepts together until you’ve had an opportunity to use them. This section takes us through a simple risk scenario – providing an opportunity to kick the tires, so-to-speak.

The Scenario

A Human Resources (HR) executive within a large bank has his username and password written on a sticky-note stuck to his computer monitor. These authentication credentials allow him to log onto the network and access the HR applications he’s entitled to use.
Before we get started, think to yourself how you’d rate the level of risk within this scenario based upon the assessments you’ve seen or done in the past.

The Analysis

The simplified process we’ll use in this example is comprised of ten steps in four stages:

Stage 1 – Identify scenario components

  • Identify the asset at risk
  • Identify the threat community under consideration

Stage 2 – Evaluate Loss Event Frequency (LEF)

  • Estimate the probable Threat Event Frequency (TEF)
  • Estimate the Threat Capability (TCap)
  • Estimate Control strength (CS)
  • Derive Vulnerability (Vuln)
  • Derive Loss Event Frequency (LEF)

Stage 3 – Evaluate Probable Loss Magnitude (PLM)

Stage 4 – Derive and articulate Risk

  • Derive and articulate Risk

(Note that we’ve made a Basic Risk Assessment Guide available for download >>here<< that documents these steps and can act as a kind of a worksheet.)

Leave a Reply