HostedDB - Dedicated UNIX Servers

fips191_32 FIPS PUB 191 As  specific  threats  and  related  vulnerabilities  are  identified,  a  likelihood  measure  needs  to  be Figure 3.5 - One Dimensional Approach to Calculate Risk The risk associated with a threat can be considered as a function of the relative likelihood that the threat can occur, and the expected loss incurred given that the   threat   occurred. The   risk   is   calculated   as follows: risk  =  likelihood  of  threat  occurring  (given  the specific vulnerability) x loss incurred The  value  estimated  for  loss  is  determined  to  be  a value that ranges  from 1 to   3.   Therefor risk may be  calculated  as  a  number  ranging  from  1  to  9 meaning a risk of 1 or 2 is considered a low risk, a risk of 3 or 4 would be a moderate risk, and a risk of 6 or 9 would be considered a high risk. LIKELIHOOD LOSS RISK 1 1 1 - LOW 1 2 2 - LOW 1 3 3 - MODERATE 2 1 2 - LOW 2 2 4 - MODERATE 2 3 6 - HIGH 3 1 3 - MODERATE 3 2 6 - HIGH 3 3 9 - HIGH associated  with  the  threat/vulnerability  pair  (i.e.  What  is  the  likelihood  that  a  threat  will  be realized,  given  that  the  vulnerability  is  exploited?). The  risk  methodology    chosen  by  the organization  should  provide  the  technique  used  to  measure  likelihood.     Along  with  asset valuation,  assigning  likelihood  measures  can  also  be  a  subjective  process.    Threat  data  for traditional  threats  (mostly  physical  threats)  does  exist  and  may  aid  in  determining  likelihood. However experience regarding the technical aspects of the LAN and knowledge of operational aspects of the organization may prove more valuable to decide likelihood measure.    Figure 3.4 defines a simple likelihood measure.  This likelihood measure coincides with the asset valuation measure  defined  in  Figure  3.1.    Although  the  asset  valuation  and  the  likelihood  measures provided in this example appear to be weighted equally for each threat/vulnerability pair, it is a user determination regarding which measure should be emphasized during the risk measurement process. 3.4.4 Process 4 - Measure Risk In its broadest sense the risk measure can be considered the representation of  the kinds of adverse actions that may happen to a system or  organization  and  the  degree  of  likelihood that these actions may occur.  The outcome of this    process should    indicate    to    the organization the degree of risk associated with the defined assets.  This outcome is important because it its the basis for making safeguard selection and risk mitigation decisions. There    are    many    ways    to    measure    and represent  risk.     [KATZ92]  points  out  that depending  on  the  particular  methodology  or approach,  the  measure  could  be  defined  in qualitative   terms,   quantitative   terms,   one dimensional,    multidimensional,    or    some combination   of   these. The   risk   measure process  should  be  consistent  with  (and  more than  likely  defined  by)  the  risk  assessment methodology being used by the organization. Quantitative  approaches  are  often  associated with measuring risk in terms of dollar losses (e.g.  FIPS  65).    Qualitative  approaches  are often associated with measuring risk in terms 34