Safeguard  Costs:  For each  specific risk,  one must  evaluate  one  or  more  safeguards,  or
               countermeasures, on a cost/benefit basis. The value of the protected asset determines the
               maximum expenditures for protection mechanisms. Calculating Safeguard Cost/Benefit : To
               make the determination of whether the safeguard is financially equitable, use the following
               formula: ALE before safeguard – ALE after implementing the safeguard – annual cost of
               safeguard (ACS) = value of the safeguard to the company If the result is negative, the
               safeguard is not a financially responsible choice. If the result is positive, then that value is the
               annual savings your organization may reap by deploying the safeguard because the rate of
               occurrence is not a guarantee of occurrence.


                                              Qualitative Risk Analysis

                       Qualitative risk analysis is more scenario based than it is calculator based. It involves
               judgment,  intuition,  and experience.  The  method  of  combining  quantitative  and  qualitative
               analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid
               analysis. One can use many techniques to perform qualitative risk analysis:
                   •  Brainstorming
                   •  Delphi Technique
                   •  Storyboarding
                   •  Focus groups
                   •  Surveys
                   •  Questionnaires
                   •  Checklists
                   •  One-on-one meetings
                   •  Interviews

                   Determining which mechanism to employ is based on the culture of the organization and
               the types of risks and assets involved.

               Scenarios

                       A scenario is a written description of a single major threat. The description focuses on
               how  a  threat  would  be  instigated  and  what  effects  its  occurrence  could  have  on  the
               organization, the IT infrastructure, and specific assets.

               Delphi Technique

                       The Delphi technique is simply an anonymous feedback-and- response process used
               to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest
               and uninfluenced responses from all participants.



               Risk Assignment/Acceptance

               The results of risk analysis are many:

                   •  Complete and detailed valuation of all assets.
                   •  An exhaustive list of all threats and risks, rate of occurrence, and extent of loss if
                       realized.
                   •  A list of threat-specific safeguards and countermeasures that identifies their
                       effectiveness and ALE.
                   •  A cost/benefit analysis of each safeguard.
               ITEC106 – Systems Security                                       Mr. John Mark L. Dula