TERMS AND DEFINITIONS

To discuss the history and evolution of information risk analysis and assessment, several terms whose meanings are central to this discussion should first be defined.

Annualized loss expectancy (ALE) — This discrete value is derived, classically, from the following algorithm (see also the definitions for single loss expectancy [SLE] and annualized rate of occurrence [ARO] below):

      SINGLE LOSS         ANNUALIZED RATE       ANNUALIZED LOSS
                     x                       =
      EXPECTANCY           OF OCCURRENCE          EXPECTANCY

To effectively identify risk and to plan budgets for information risk management and related risk reduction activity, it is helpful to express loss expectancy in annualized terms. For example, the preceding algorithm will show that the ALE for a threat (with an SLE of $1,000,000) that is expected to occur only about once in 10,000 years is $1,000,000 divided by 10,000, or only $100.00. When the expected threat frequency (ARO) is factored into the equation, the significance of this risk factor is addressed and integrated into the information risk management process. Thus, risk is more accurately portrayed, and the basis for meaningful cost/benefit analysis of risk reduction measures is established.

Annualized rate of occurrence (ARO) — This term characterizes, on an annualized basis, the frequency with which a threat is expected to occur. For example, a threat occurring once in 10 years has an ARO of 1/10 or 0.1; a threat occurring 50 times in a given year has an ARO of 50.0. The possible range of frequency values is from 0.0 (the threat is not expected to occur) to some whole number whose magnitude depends on the type and population of threat sources. For example, the upper value could exceed 100,000 events per year for minor, frequently experienced threats such as misuse-of-resources. For an example of how quickly the number of threat events can mount, imagine a small organization — about 100 staff members — having logical access to an information processing system. If each of those 100 persons misused the system only once a month, misuse events would be occurring at the rate of 1,200 events per year. It is useful to note here that many confuse ARO or frequency with the term and concept of probability (defined below). While the statistical and mathematical significance of these metrics tend to converge at about 1/100 and become essentially indistinguishable below that level of frequency or probability, they become increasingly divergent above 1/100 to the point where probability stops — at 1.0 or certainty — and frequency continues to mount undeterred, by definition.

Exposure factor (EF) — This factor represents a measure of the magnitude of loss or impact on the value of an asset. It is expressed as a percent, ranging from 0% to 100%, of asset value loss arising from a threat event. This factor is used in the calculation of single loss expectancy (SLE), which is defined below.

Information asset — This term, in general, represents the body of information an organization must have to conduct its mission or business. A specific information asset may consist of any subset of the complete body of information, i.e., accounts payable, inventory control, payroll, etc. Information is regarded as an intangible asset separate from the media on which it resides. There are several elements of value to be considered: first is the simple cost of replacing the information, second is the cost of replacing supporting software, and third through the fifth is a series of values that reflect the costs associated with loss of the information’s confidentiality, availability, and integrity. Some consider the supporting hardware and netware to be information assets as well. However, these are distinctly tangible assets. Therefore, using tangibility as the distinguishing characteristic, it is logical to characterize hardware differently than the information itself. Software, on the other hand, is often regarded as information. These five elements of the value of an information asset often dwarf all other values relevant to an assessment of risk. It should be noted as well that these elements of value are not necessarily additive for the purpose of assessing risk. In both assessing risk and establishing cost justification for risk-reducing safeguards, it is useful to be able to isolate safeguard effects among these elements. Clearly, for an organization to conduct its mission or business, the necessary information must be present where it is supposed to be, when it is supposed to be there, and in the expected form. Further, if desired confidentiality is lost, results could range from no financial loss if confidentiality is not an issue, to loss of market share in the private sector, to compromise of national security in the public sector.