Mesusa Corporation has three information assets to evaluate for risk management
as listed below. Create a ranked list of risk associated with the four
vulnerabilities. You can begin with the columns from the Ranked Vulnerability
Risk worksheet (Asset, Impact, Vulnerability, Likelihood), determine the risk
rating, and then include percentage of current control and the uncertainty rate
to come up with a final risk -rating estimate. Use the formula as described in
Switch L47 connects a network to the
Internet. It has two vulnerabilities; (1) susceptibility to hardware failure,
with the likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow
attack, with a likelihood of 0.1. This switch has an impact rating of 90 and
has no current controls in place. There is a 75% certainty of the assumptions
Server WebSrv6 hosts a company Web site and
performs e-commerce transactions. It has Web server software that is
vulnerable to attack via invalid Unicode values. The likelihood of such and
attack is estimated at 0.2. The server has been assigned an impact value of
100, and a control has been implemented that reduces the impact of
vulnerability by 75%. There is an 80% certainty of the assumptions and data.
Operators use the MGMT45 control console to
monitor operations in the server room. It has no passwords and is susceptible
to unlogged misuse by the operators. Estimates show the likelihood of misuse
is 0.1. There are no controls in place on this asset, which has an impact
rating of 5. There is a 90% certainty of the assumptions and data.
purpose of relative risk assessment, = (risk equals likelihood of
vulnerability occurrence) x (value (or impact)) – (percentage risk already
controlled) + (an element of uncertainty).
Textbook : Michael E. Whitman & Herbert J. Mattord, “Management of information security”.