Utilizing a Quantitative Risk Approach. To Drive Strategic IT COMPLIANCE. Glenn R. Wilson. VA SCAN October 3, 2013. Classifying IT R isk. Classifying IT Risk. Data risk Breach, loss, corruption, unavailability Operational risk Performance degradation, denial of service, outages
To Drive Strategic IT COMPLIANCE
Glenn R. Wilson
VA SCAN October 3, 2013
Classifying IT Risk
Classifying IT Risk
What does it mean to be “in compliance”?
How do you know when you have achieved it?
How do you sustain a state of compliance?
What do we have to comply with?
FERPA, HIPAA, HITECH, GLBA, SOX, PCI DSS, FISMA, ECPA,
COPPA,EFTA, Bank Secrecy Act, USA Patriot Act, Basel II Accord …
The short answer: “industry standards, federal, state and local laws”
How many organizations put this statement into their policies
and aren’t exactly sure what they are obligating themselves to?
Successfully Achieving Compliance
Effective programs are driven by a
culture of compliance and align with
the organization’s strategic planning
How does risk vary with compliance?
levels appropriate for the organization.
Which Likelihood - Impact
pairs should be analyzed?
VaR = VaR12 + VaR22 + 2 * C2* VaR1 * VaR2
EF = (((TP×(C/E))×(VF×AP))/100)
Risk Exposure = ALE = SLE * ARO
EF: Exposure factor (% loss of asset)
TP: Threat probability
C: Criticality factor
E: Effort requited to exploit the threat
ALE: Annualized Loss Expectancy
SLE: Single Loss Expectancy
ARO: Annual Rate of Occurrence
Return On Security Investment (ROSI) – A Practical Quantitative Model
Wes Sonnenreich, Jason Albanese and Bruce Stout
SageSecure, LLC 116 W. 23rd St., 5th Floor, NY, NY 10011 USA
Journal of Research and Practice in Information Technology, Vol. 38, No. 1, February 2006
Adrian Munteanu, Alexandru Ioan Cuza University, Iasi, Romania
Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma
Managing Information in the Digital Economy: Issues & Solutions 228
Risk = Σan (Σram (Cm*(Vm*Om)))
Risk Score = log(10Risk Score1+10Risk Score2)
Likelihood Score =
log(10Likelihood Score1 +10Likelihood Score2)
Consequence Score =
Risk Score – Likelihood Score
Σan: Sum of the asset risk
Σram: Risk sum for each combination of criterion, vulnerability and threat per asset
Cm: Criterion value for the current combination
Vm: Vulnerability risk level for current combination
Om: Threat occurrence for current combination
XunGuo Lin & Richard Jarrett
Division of Mathematical and Information Sciences
A Practical Approach to Quantitative Risk Assessment
Canberra & Melbourne
Risk Conference, Wellington, 2009
Abbas Asosheh, Bijan Dehmoubed, Amir Khani
Tarbiat Modares University Tehran, Iran
A New Quantitative Approach for Information Security Risk Assessment