|
|
|
|
Asset Loss
|
Defines the loss on an asset to the organization (in terms of the assets's value/liability and volume).
Tagged Values
| · | Cost � The intrinsic value of the asset |
| · | Criticality � Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
| · | LossForm � Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation |
| · | LossType � Primary, Secondary |
| · | Embarrassment/ Reputation- The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place |
| · | Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability |
| · | Legal Regulatory - The organization is bound by law to protect the information |
| · | General - Disclosure of the information results in some form of loss |
|
|
Assumption
|
Captures assumptions made in risk analysis.
Tagged Values
|
|
Contact Frequency
|
The probable frequency, within a given timeframe, with which a threat agent will come into contact with an asset.
Tagged Values
| · | ConfidenceLevel - Commonly expressed as a percentage |
| · | Random - The threat agent 'stumbles upon' the asset during the course of unfocused or undirected activity |
| · | Regular - Contact occurs because of the regular actions of the threat agent |
| · | Intentional - The threat agent seeks out specific targets |
|
|
External Loss
|
Tagged Values
| · | Factors � Event Detection, Legal and Regulatory, Competitors, Media, Other Stakeholders |
| · | Criticality � Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
| · | LossForm � Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation |
| · | LossType � Primary, Secondary |
| · | Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that may result when a loss event takes place |
| · | Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability |
| · | Legal Regulatory - The organization is bound by law to protect the information |
| · | General - Disclosure of the information results in some form of loss |
|
|
Loss
|
Captures loss that a threat can result in.
Tagged Values
| · | Criticality � Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
| · | LossForm � Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation |
| · | LossType � Primary, Secondary |
| · | Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place |
| · | Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases sensitivity represents liability |
| · | Legal Regulatory - The organization is bound by law to protect the information |
| · | General - Disclosure of the information results in some form of loss |
|
|
Loss Event Frequency
|
The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset.
Tagged Values
| · | ProbableFrequency - Probability is always is based on a timeframe (event X is 10% likely to occur over the next Y) |
| · | Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
|
|
Loss Magnitude
|
The probable magnitude of loss resulting from a loss event.
Tagged Values
| · | Rating - Severe (SV), High (H), Significant (Sg), Moderate (M), Low (L), VeryLow (VL) |
|
|
Organizational Loss
|
Captures the loss to the organization.
Tagged Values
| · | Factors � Timing, DueDiligence, Response, Detection |
| · | Cost � The intrinsic value of the asset |
| · | Criticality � Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
| · | Productivity - The reduction in an organization�s ability to generate its primary value proposition |
| · | Response - Expenses associated with managing a loss event (such as internal or external person-hours, logistical expenses, legal defense and public relations expenses) |
| · | Replacement - The capital expense associated with replacing lost or damaged assets |
| · | Fines and Judgements - Legal or regulatory actions levied against an organization |
| · | Competitive Advantage - Losses associated with diminished competitive position |
| · | Reputation - Losses associated with an external stakeholder�s perception that an organization�s value proposition is diminished |
| · | LossType � Primary, Secondary |
| · | Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place |
| · | Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability |
| · | Legal Regulatory - The organization is bound by law to protect the information |
| · | General - Disclosure of the information results in some form of loss |
|
|
Probability of Action
|
The probability that a threat agent will act against an asset once contact occurs.
Tagged Values
| · | ConfidenceLevel - Commonly expressed as a percentage |
| · | LevelOfEffort - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
| · | MaximumLikelyValue - The threat agent�s maximum value proposition from performing the act |
| · | MinimumLikelyValue - The threat agent�s minimum value proposition from performing the act |
| · | MostLikelyValue - The threat agent�s perceived value proposition from performing the act |
| · | RiskOfDetection/Capture - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
|
|
Resistance Strength
|
The strength of a control as compared to a baseline measure of force.
Tagged Values
| · | ConfidenceLevel - Commonly expressed as a percentage |
| · | LevelOfEffort - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
| · | Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
|
|
Risk Scenario
|
Defines the environment or situation that involves risk.
|
|
Risk
|
Defines an estimate of the probable frequency and magnitude of future loss
Tagged Values
| · | Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
|
|
Risk Management Decision
|
The decision to mitigate the risk.
|
|
Threat
|
Defines the harm to an asset that a risk poses.
Tagged Values
| · | ThreatScenario � Malicious, Error, Failure, Natural |
| · | ThreatType � External, Internal |
|
|
Threat Agent
|
The source that could inflict harm upon an asset.
Tagged Values
| · | ThreatType � External, Internal |
|
|
Threat Capability
|
The probable level of force that a threat agent is capable of applying against an asset.
Tagged Values
| · | ConfidenceLevel - Commonly expressed as a percentage |
| · | MaximumLikelyValue - The maximum level of skills an attacker might have |
| · | MinimumLikelyValue - The minimum level of skills that an attacker might have |
| · | MostLikelyValue - The skill level of the most likely attacker |
| · | Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
|
|
Threat Community
|
People associated with the conditions surrounding the asset at risk.
Tagged Values
| · | ThreatType � External, Internal |
|
|
Threat Event Frequency
|
The probable frequency, within a given timeframe, at which a threat agent will act against an asset.
Tagged Values
| · | Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
|
|
Threat Response
|
The action associated with managing a loss event.
Tagged Values
| · | Containment - An organization�s ability to limit the breadth and depth of an event |
| · | Remediation - An organization�s ability to remove the threat agent |
| · | Recovery - The ability to bring things back to normal |
|
|
Vulnerability
|
The probability that a threat event will become a loss event.
Tagged Values
| · | Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) |
|
|
