652    Chapter 11 • Operational and Organizational Security: Incident Response

                 Assets of a company will generally have multiple risks associated with them.
             Equipment failure, theft, or misuse can affect hardware, while viruses, upgrade
             problems, or bugs in the code can affect software. Looking at the weight of impor-
             tance associated with each asset should help prioritize which assets should be ana-
             lyzed first, and determine what risks are associated with each.
                 Once you have determined what assets may be affected by different risks, you
             then need to determine the probability of a risk occurring.While there may be
             numerous threats that can affect a company, not all of them are probable. For
             example, a tornado is highly probable for a business located in Oklahoma City, but
             not highly probable in New York City. For this reason, a realistic assessment of the
             risks must be performed.
                 Historical data can provide information on how likely it is that a risk will
             become reality within a specific period of time. Research must be performed to
             determine the likelihood of risks within a locality or with certain resources. By
             determining the likelihood of a risk occurring within a year, you can determine
             what is known as the Annualized Rate of Occurrence (ARO).
                 Information for risk assessment can be acquired through a variety of sources.
             Police departments can provide crime statistics on areas where facilities are located,
             allowing the owners to determine the probability of vandalism, break-ins, or dan-
             gers potentially encountered by personnel. Insurance companies also provide infor-
             mation on risks faced by other companies, and the amounts paid out when these
             risks became reality. Other sources may include news agencies, computer incident
             monitoring organizations, and online resources.
                 Once the ARO is calculated for a risk, it can be compared to the monetary loss
             associated with an asset.This is the dollar value that represents how much money
             would be lost if the risk occurred.This can be calculated by looking at the cost of
             fixing or replacing the asset. For example, if a router fails on a network, a new one
             must be purchased and installed. In addition, the company would have to pay for
             employees who are not able to perform their jobs because they cannot access the
             network.This means that the monetary loss would include the price of new equip-
             ment, the hourly wage of the person replacing the equipment, and the cost of
             employees unable to perform their work.When the dollar value of the loss is calcu-
             lated it provides a total cost of the risk, or the Single Loss Expectancy (SLE).
                 To plan for a probable risk, you need to use the ARO and the SLE to find the
             Annual Loss Expectancy (ALE). For example, say that the probability of a Web
             server failing is 30 percent.This would be the ARO of the risk. If the e-commerce
             site hosted on this server generates $10,000 an hour and the site is estimated to be
             down two hours while the system is repaired, the cost of this risk is $20,000. In



          www.syngress.com