Windows XP / Networking

Performing a Risk Analysis

Unless you are the owner, CEO, or head of your organization, one day someone will probably say to you, "I need some solid evidence that your security programs are contributing to the organization's productivity, its competitiveness, and ultimately its bottom line." When you are asked these questions, you better know the following:

  • How vulnerable is the organization to known attacks?
  • When was the analysis last done?
  • What percentage of company software, people, and supplies has been reviewed for security issues?
  • What percentage of critical data is strongly protected?
  • What percentage of downtime results from security problems?
  • What percentage of nodes in the network does IT manage?

You should perform a risk assessment to understand the value of the assets that need protection in your organization. Your management wants to know the threats and risks associated with today's networks and the method for controlling them. Security and controls improve quality and performance, which are the keys to success in any organization. So, you should agree that you should have security and controls. Saying this another way, you should manage risks. But what does manage risks mean? Risk management is the optimized allocation of limited resources to

  • Mitigate risks
  • Transfer risks
  • Recover from risk events

Your organization will perform better when you manage risks, which means more effective use of resources, more responsiveness to clients, and compliance with laws. So what is the problem? Why not just find and fix all your risks? Because perfect security is infinitely expensive! No organization - not even the government (or especially the government) - has unlimited resources.

You must measure risk. You can use High, Medium, and Low, but this is a difficult sell when you go to the boss and say, "Hey, boss, I need high dollars to manage this high risk!" What is the likely response? "I need better data than that!" Therefore, you must measure your risks and not merely express your opinions. You can calculate expected loss, which is the stream of risk losses expressed quantitatively, that you could reasonably expect to experience in the future. Some organizations do this by measuring the return on investment (ROI). Typically, ROI is a measure of an organization's performance. It is finite: total capital divided into income. Normally, ROI is defined by the business as an incremental gain on an action. There are three ways to maximize ROI:

  • Minimize costs
  • Maximize returns
  • Accelerate the timing of returns

Alternatively, you could calculate the Return on Security Investment (ROSI), which is normally defined as the value of loss deference or reduction to dollars invested on security controls. It is indefinite: It has no exact limits. Some security investments have specific ROI, such as provisioning users or corporate insurance, but most don't. ROSI is an incremental gain on an action.

There are four ways to maximize ROSI:

  • Minimize/eliminate operational losses
  • Minimize investment
  • Maximize positive returns (where ROI applies)
  • Accelerate the timing of returns

Your goal is to implement cost-effective security, in which the expected cost of a control is less than the expected loss. Such controls generate a positive ROSI; that is, you can expect to save money over time. Ideally, you want to deploy the most cost-effective controls - those that maximize ROSI. Your challenge is to measure ROSI for given security controls. You should try to base measurements on empirical data and mathematical analysis, rather than opinions. You should evaluate all proposals, techniques, products, and services in terms of ROSI. You should establish best practices based on ROSI. Unfortunately, most companies currently base security decisions on expert opinion and conventional wisdom, not on empirical data and mathematical analysis.

Perform a risk assessment to understand the value of the assets in your organization that need protection. Understanding the value of organizational assets and the level of protection required is likely to enable more costeffective wireless solutions that provide an appropriate level of security. You don't want to spend money to protect data that has no value. We doubt that you will find any case in which the data has no value, but you don't want to spend more on security measures than the value of the data.

Several companies sell risk management software, including Methodware Enterprise Risk Assessor ( and Risk Services & Technology RiskTrak (

[Previous] [Contents]