Common Risk-Assessment Methodologies and Templates
Key Terms
Annualized Loss Expectancy (ALE)
The ALE is an annual expected financial loss to an organization's IT asset because of a particular threat being realized within that same calendar year.
Annualized Rate of Occurrence (ARO)
The ARO is a value that represents the estimated frequencyfor a given threat.
Asset Value (AV)
The AV is the actual dollar value that is put on the asset itself. Remember that for a data asset, the actual dollar value may be more than the value of the IT hardware, software, maintenance contracts, and so on.
Data classification standard
A standard that defines an organization's classification of its data assets. Typically, a data classification standard will dictate the level of minimum acceptable risk within the seven areas of information security responsibility.
Defense-in-Depth
A term used to describe a layered approach to information security for an IT infrastructure.
End User Licensing Agreement (EULA)
This is the software license that software vendors create to protect and limit their liability as well as hold the purchaser liable for illegal pirating of the software application. The EULA typically has language in it that protects the software manufacturer from software bugs and flaws and limits the liability of the vendor.
Exposure Factor (EF)
This is a subjective value that is defined by determining the percentage of loss to a specific asset due to a specific threat.
Qualitative Risk Assessment
A scenariobased assessment in which one scenario is examined and assessed for each critical or major threat to an IT asset.
Quantitative Risk Assessment
A methodical, step-by-step calculation of asset valuation, exposure to threats, and the financial impact or loss in the event of the threat being realized.
Risk Potential
The potential that a threat or vulnerability will be exploited.
Security Breach or Security Incident
The result of a threat or vulnerability being exploited by an attacker.
Security Controls
Policies, standards, procedures, and guideline definitions for various security control areas or topics.
Security Countermeasure
A security hardware or software technology solution that is deployed to ensure the confidentiality, integrity, and availability of IT assets that need protection.
Single Loss Expectancy (SLE)
A dollar-value figure that represents the organization's loss from a single loss or loss of this particular IT asset.
Software Bugs or Software Flaws
An error in software coding or its design that can result in software vulnerability.