风险评估分为quantitative和qualitative两种:
- Quantitative 量化评估: 给风险评估中的数据元素加入量化的金钱、数值,例如“客户数据价值100万,保护手段价值1万, 每年损失概率为0.07”
- Qualitative 质化评估:通过基于主观性的方法进行风险分析。例如将客户数据价值估计为重要(Critical),保护手段投入中等(medium),损失概率较小(not likely )
Quantitative Concepts
损失估计不应当局限于灾害本身,应当将灾害发生后恢复影响花费的时间考虑在内。以携程几年前的服务中断为例,灾害本身造成的数据丢失等并非损失的全部,甚至并非主要部分,灾害发生直到恢复原状,企业所遭受的损失都应当计算在内
- Single Loss Expectancy(SLE) : 单次损失估计,当一个特定的弱点被利用一次时,对单项资产产生的影响。
SLE = Asset Value * Exposure Factor - Annualized Loss Expectancy(ALE): 年化损失估计
ALE = SLE * ARO
Qualitative Concepts
- Uncertainty analysis Assigning confidence level values to data elements
- Delphi method Data collection method that happens in an anonymous fashion
Other Key Items
- Cost/benefit analysis Calculating the value of a control (ALE before implementing a control) - (ALE after implementing a control) - (annual cost of control) = value of control
- Functionality versus effectiveness of control Functionality is what a control does, and its effectiveness is how well the control does it.
- Total risk Full risk amount before a control is put into place. Threats * vulnerabilities * assets = total risk
- Residual Risk Risk that remains after implementing a control. Threats * vulnerabilities * assets * (control gap) = residual risk
-
Handling risk Accept, transfer, mitigate, avoid
- Accept 明白并接受风险可能造成的后果,采取这一决策必须明白其后果,并知道发生这些风险时应当怎样进行灾难恢复
- Transfer 转移风险,例如花钱购买保险,当风险发生时,就可以从保险公司获得补偿。
- Mitigate 降低风险,例如为员工电脑安装杀毒软件和防火墙,降低被入侵的风险
- Avoid 避免风险,通过一些方案杜绝某些危险。例如采用HTTPS代替HTTP,就避免了用户传输的敏感信息被监听的风险
