We are talking IT security risk – not financial or other security.
IT security Risk – How to define it?
Colors Green, Yellow, Orange, Red ? Numbers 12345 , or wording – low, med, high.
Image from BCM – Business Continuity Management Institute
But whatever we use it may not be very accurate in our field, as risk is subjective, and my risk may not be the same as your risk.
Or let’s define that better than my and yours.
Single owner website (revenue less than $200k)
Business revenue from $200k -$500k
revenue from $500k – $750k
revenue $10mil – 100mil
Enterprise business (revenue higher than 100mil
To assess risk we can turn to well established procedures:
From the http://www.gao.gov/special.pubs/ai00033.pdf from 1999 of all years.
Look at your operation and figure out what is your most important digital assets?
Estimating the likelihood of threats is not so easy when your own organization may not be attacked
You have to look at other organizations that have been breached and make a determination with that data http://www.privacyrights.org/data-breach
There were 4603 data breaches made public since 2005 and 868 million records breached.
So do not assume you will not be, and there is negligible risk in your operation. “We have no risk”.
The potential losses from your analysis of important digital assets are where the focus of risk should be.
This includes the following:
customer database, employee database, employee health records, employee email.
Remember to assess email servers, as your email is an important aspect of your business. And if your email gets hacked is also a dollar amount that must be figured out.
In the coming days we will attempt to define a subjective risk analysis method.
What about DOS or Denial of Service? even if low likely hood of hacking, if your mail server is no longer operational, what does that cost?