fips191_32
FIPS PUB 191
As specific threats and related vulnerabilities are identified, a likelihood measure needs to be
Figure 3.5 - One Dimensional Approach to Calculate Risk
The risk associated with a threat can be considered
as a function of the relative likelihood that the threat
can occur, and the expected loss incurred given that
the threat occurred.
The risk is calculated as
follows:
risk = likelihood of threat occurring (given the
specific vulnerability) x loss incurred
The value estimated for loss is determined to be a
value that ranges from 1 to 3. Therefor risk may
be calculated as a number ranging from 1 to 9
meaning a risk of 1 or 2 is considered a low risk, a
risk of 3 or 4 would be a moderate risk, and a risk
of 6 or 9 would be considered a high risk.
LIKELIHOOD
LOSS
RISK
1
1
1 - LOW
1
2
2 - LOW
1
3
3 - MODERATE
2
1
2 - LOW
2
2
4 - MODERATE
2
3
6 - HIGH
3
1
3 - MODERATE
3
2
6 - HIGH
3
3
9 - HIGH
associated with the threat/vulnerability pair (i.e. What is the likelihood that a threat will be
realized, given that the vulnerability is exploited?).
The risk methodology chosen by the
organization should provide the technique used to measure likelihood. Along with asset
valuation, assigning likelihood measures can also be a subjective process. Threat data for
traditional threats (mostly physical threats) does exist and may aid in determining likelihood.
However experience regarding the technical aspects of the LAN and knowledge of operational
aspects of the organization may prove more valuable to decide likelihood measure. Figure 3.4
defines a simple likelihood measure. This likelihood measure coincides with the asset valuation
measure defined in Figure 3.1. Although the asset valuation and the likelihood measures
provided in this example appear to be weighted equally for each threat/vulnerability pair, it is a
user determination regarding which measure should be emphasized during the risk measurement
process.
3.4.4 Process 4 - Measure Risk
In its broadest sense the risk measure can be
considered the representation of the kinds of
adverse actions that may happen to a system
or organization and the degree of likelihood
that these actions may occur. The outcome of
this process
should indicate to the
organization the degree of risk associated with
the defined assets. This outcome is important
because it its the basis for making safeguard
selection and risk mitigation decisions.
There are many ways to measure and
represent risk. [KATZ92] points out that
depending on the particular methodology or
approach, the measure could be defined in
qualitative terms, quantitative terms, one
dimensional, multidimensional, or some
combination of these.
The risk measure
process should be consistent with (and more
than likely defined by) the risk assessment
methodology being used by the organization.
Quantitative approaches are often associated
with measuring risk in terms of dollar losses
(e.g. FIPS 65). Qualitative approaches are
often associated with measuring risk in terms
34