Background
Any CISSP will tell you that the way to calculate risk is by taking the likelihood and multiplying it by the impact. We've been asked by SimpleRisk users in the past to add a third, "asset value", to our risk scoring formula. While I completely understand the desire to utilize asset value as part of a risk score, I'm going to argue that this approach is inherently flawed. Why? Because your "impact" is already supposed to be factoring in the value of the assets that are affected. In addition, we find that most organizations are struggling with just managing the risks themselves and are not yet at a point where asset valuation can provide any meaningful context.
Asset Valuation - is the Tradeoff for Precision Worth it?
The key purpose in giving an asset a value isn't so that it can affect the risk score, but to use it to determine how to prioritize your mitigation efforts. Many of the popular GRC tools use highly complex criteria and formulas that require substantial resources to implement and maintain, in order to determine asset valuation. While the resulting calculations may be more precise, the question that must be asked is whether the time, money, and resources expended justifies the end result?
Is there a Simpler, Efficient, and Equally Effective Way to Calculate Asset Valuation?
When we integrated asset valuation into SimpleRisk, our approach was to arrive at an easy to understand middle ground so that assets could still be valued and used as a factor in prioritizing risk mitigation, but not inhibit organizations from initiating a robust risk management process.
Generally, we concluded that each risk affects one or more assets, where an asset could be a computer system, a type of data, a database, a person, a facility, or just about anything else you can imagine. Therefore, in SimpleRisk, you simply tag a list of affected assets for each of your risks. Then, for each asset, you can specify any of the following details:
- Asset Name
- IP Address
- Asset Valuation (based on valuation tiers)
- Site/Location
- Team
- Asset Details
For the sake of simplicity, we introduced what is effectively a 1-10 scale for valuing an asset. This scale is easily adjusted to fit the size and complexity of your organization, but makes the process of valuing your assets a breeze. Now that you've got a list risks, their affected assets, and the asset values, we can perform a calculation of the maximum quantitative loss for each of our risks. This process is completely optional, but moves the needle from qualitative to quantitative risk analysis, as well as accomplishes our goal of providing additional insight into our risk mitigation processes.
Conclusion
While we're acutely aware that our approach doesn't get you to the RISK = LIKELIHOOD x IMPACT x ASSET VALUE score that some organizations may aspire to, we believe that it's a far simpler way to utilize assets as part of a risk management process.
In short, we've chosen to provide security practitioners with the ability to determine asset valuation in a way that is not only easy to understand and apply, but also produces a realistic estimate of an asset's value. By doing it this way, an asset's value can still be used as a key factor in prioritizing risk mitigation, while also preserving the simplicity of the SimpleRisk platform.