fips191_25
FIPS PUB 191
use was for the risk analysis of large data centers. [FIPS65] describes how an estimate of risk
(i.e. Annual Loss Expectancy) could be obtained by estimating, for each application data file: (1)
the frequency of occurrence of harmful impact (i.e., destruction, modification, disclosure or
unavailability of the data file) and (2) the consequences (in dollars) that could result from each
of the impacts [KATZ92]. [KATZ92] explains that "recognizing the lack of empirical data on
frequency of occurrence of impacts and the related consequences, FIPS 65 suggested an order
of magnitude approach to approximating these values. That this concept was not well
understood by users of that method has been illustrated by numerous attempts to be too precise
in quantifying the input data to FIPS 65 and, by the same token, interpreting the results as having
more precision than they actually had. " FIPS 65 may be used for a risk assessment of a LAN;
however agencies may choose other methodologies and techniques if the agency finds them to
be more appropriate and effective.
Automated risk analysis tools are available that are tailored specifically to the LAN environment.
[GILB89] points out the many benefits of using automated risk analysis tools. However there
is a concern in using automated risk analysis tools. There are many techniques available to
calculate risk. While most depend on a loss variable and a likelihood or probability variable, the
manner in which these variables are represented, the calculations that are used on these variables,
and the manner in which the risk value is represented is not always made available to the user.
This disadvantage is compounded because there is currently no standard method or agreed upon
approach for performing risk analysis. While there exists a proposed standard framework
[KATZ92] for risk analysis that provides vendors with some guidance in developing these tools,
there are no agreed upon methods for representing the necessary variables to perform a risk
analysis, and there are no agreed upon methods for calculating risk using these variables.
Because of this lack of consistent agreement with the risk community, coupled with the
proprietary nature of the tools, determining the effectiveness of any particular method may be
difficult. On the other hand, if the methodology used by the tool is understood and deemed
acceptable for the user, then the tool may prove to be quite adequate. The underlying question
in determining if a tool will be effective for a particular environment should be, "What is the
automated risk analysis tool measuring, and are the results produced by it useful for providing
appropriate LAN security?" [GILB89] discusses the use of automated risk analysis tools, and
examines criteria that can be considered in the automated tools selection process.
Another approach for performing risk analyses is to develop sets of baseline security controls
needed for predefined levels of risk. The predefined levels of risk may be based on the asset
alone (e.g. data is considered sensitive due to an agency policy or federal mandate), the
consequence that would result from the loss of the asset (e.g. the agency may not be able to meet
its mission) or other factors. This allows data owners and those responsible for ensuring the
security of the LAN to determine the level of risk for specific assets, and follow the guidance
and implement the controls that have been deemed appropriate. This approach may provide an
agency with the benefit of having consistent protection for specified types of assets. This
approach has been implemented in [DOE89], [HHS91], [NASA90]. A benefit of this approach
27