|
|
|
|
Defines the loss on an asset to the organization (in terms of the assets's value/liability and volume).
Tagged Values
- Liability/Value
- Volume
- Cost – The intrinsic value of the asset
- Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
- LossFactor
- LossForm – Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation
- LossType – Primary, Secondary
- Sensitivity
- Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place
- Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability
- Legal Regulatory - The organization is bound by law to protect the information
- General - Disclosure of the information results in some form of loss
|
|
|
Captures assumptions made in risk analysis.
Tagged Values
|
|
|
The probable frequency, within a given timeframe, with which a threat agent will come into contact with an asset.
Tagged Values
- ConfidenceLevel - Commonly expressed as a percentage
- MaximumLikelyValue
- MinimumLikelyValue
- Type –
- Random - The threat agent 'stumbles upon' the asset during the course of unfocused or undirected activity
- Regular - Contact occurs because of the regular actions of the threat agent
- Intentional - The threat agent seeks out specific targets
|
|
|
Captures external loss factors.
Tagged Values
- Factors – Event Detection, Legal and Regulatory, Competitors, Media, Other Stakeholders
- Cost
- Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
- LossFactor
- LossForm – Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation
- LossType – Primary, Secondary
- Sensitivity –
- Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that can result when a loss event takes place
- Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability
- Legal Regulatory - The organization is bound by law to protect the information
- General - Disclosure of the information results in some form of loss
|
|
|
Captures loss that a threat can result in.
Tagged Values
- Cost
- Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
- LossFactor
- LossForm – Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation
- LossType – Primary, Secondary
- Sensitivity
- Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place
- Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases sensitivity represents liability
- Legal Regulatory - The organization is bound by law to protect the information
- General - Disclosure of the information results in some form of loss
|
|
|
The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset.
Tagged Values
- LossType
- ProbableFrequency - Probability is always is based on a timeframe (event X is 10% likely to occur over the next Y)
- Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
- TimePeriod
|
|
|
The probable magnitude of loss resulting from a loss event.
Tagged Values
- LossType
- Rating - Severe (SV), High (H), Significant (Sg), Moderate (M), Low (L), VeryLow (VL)
|
|
|
Captures the loss to the organization.
Tagged Values
- Factors – Timing, DueDiligence, Response, Detection
- Cost – The intrinsic value of the asset
- Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
- LossFactor
- LossForm
- Productivity - The reduction in an organization’s ability to generate its primary value proposition
- Response - Expenses associated with managing a loss event (such as internal or external person-hours, logistical expenses, legal defense and public relations expenses)
- Replacement - The capital expense associated with replacing lost or damaged assets
- Fines and Judgements - Legal or regulatory actions levied against an organization
- Competitive Advantage - Losses associated with diminished competitive position
- Reputation - Losses associated with an external stakeholder’s perception that an organization’s value proposition is diminished
- LossType – Primary, Secondary
- Sensitivity
- Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place
- Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability
- Legal Regulatory - The organization is bound by law to protect the information
- General - Disclosure of the information results in some form of loss
|
|
|
The probability that a threat agent will act against an asset once contact occurs.
Tagged Values
- ConfidenceLevel - Commonly expressed as a percentage
- LevelOfEffort - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
- MaximumLikelyValue - T he threat agent’s maximum value proposition from performing the act
- MinimumLikelyValue - The threat agent’s minimum value proposition from performing the act
- MostLikelyValue - The threat agent’s perceived value proposition from performing the act
- RiskOfDetection/Capture - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
|
|
|
The strength of a control as compared to a baseline measure of force.
Tagged Values
- ConfidenceLevel - Commonly expressed as a percentage
- LevelOfEffort - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
- MaximumLikelyValue
- MinimumLikelyValue
- MostLikelyValue
- Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
|
|
|
Defines the environment or situation that involves risk.
|
|
|
Defines an estimate of the probable frequency and magnitude of future loss
Tagged Values
- Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
|
|
|
The decision to mitigate the risk.
|
|
|
Defines the harm to an asset that a risk poses.
Tagged Values
- ThreatScenario – Malicious, Error, Failure, Natural
- ThreatType – External, Internal
|
|
|
The source that could inflict harm upon an asset.
Tagged Values
- AccessMethod
- DesiredVisibility
- Motive
- Objective
- PersonalRiskTolerance
- Resources
- SkillRating
- Sponsorship
- ThreatType – External, Internal
|
|
|
The probable level of force that a threat agent is capable of applying against an asset.
Tagged Values
- ConfidenceLevel - Commonly expressed as a percentage
- MaximumLikelyValue - The maximum level of skills an attacker might have
- MinimumLikelyValue - The minimum level of skills that an attacker might have
- MostLikelyValue - The skill level of the most likely attacker
- Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
|
|
|
People associated with the conditions surrounding the asset at risk.
Tagged Values
- ThreatType – External, Internal
|
|
|
The probable frequency, within a given timeframe, at which a threat agent will act against an asset.
Tagged Values
- Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
|
|
|
The action associated with managing a loss event.
Tagged Values
- ResponsePercentage
- ResponseType –
- Containment - An organization’s ability to limit the breadth and depth of an event
- Remediation - An organization’s ability to remove the threat agent
- Recovery - The ability to bring things back to normal
|
|
|
The probability that a threat event will become a loss event.
Tagged Values
- Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
|
|