Risk assessment in the US military consists of a specific technique for estimating the expected loss per unit time, and a simple hill climbing strategy for reducing risk. The risk assessment process consists of 6 steps:
1 - Determine assets. 2 - Determine impact areas affecting each asset, and dollar values for each (asset,impact area) pair. 3 - Determine the existing threats, and assign a rating to each indicating the expected frequency of attack. 4 - For each impact area, chart assets and dollar values against threats and frequencies. 5 - Compute annual loss expectancy. 6 - Perform a 'countermeasures implementation and effectiveness review'.
Assets usually consist of hardware, software, personnel, administrative, data, communications, and physical assets. Relatively standard lists of typical assets are used to assure broad coverage. It is often difficult to get a good list of information assets.
Impact values are rated in each of four impact areas; disclosure, destruction, modification, and denial of access; according to a scale from 1 to 8, indicating the number of decimal places in the dollar value of assets. Thus a rating of 1 corresponds to $10, and 8 corresponds to $100,000,000. Disclosure of sensitive data is generally rated as 3 for 'FOR OFFICIAL USE ONLY', 4 for 'Privacy act, or confidential', 5 for 'secret', and 6 for 'top secret'. These values are only guidelines that are typically modified where applicable by the responsible manager. Destruction value is generally a function of the cost of replacement, which is very hard to define for experimental data and software. Modification value is almost universally underestimated because those who assess it tend to ignore the transitive effects of corruption. Denial of access is usually viewed in terms of the cost required to regain access and the consequential losses over the period of denial.
Attack frequencies are also rated on a logarithmic scale, with a rating of 1 corresponding to one successful attack in 300 years, 2 for once in 30 years, ..., 8 for once every 15 minutes. The problem in this area is that it is very difficult to get accurate figures for the frequency of successful attacks. Truly successful information attacks are undetected, so only detected attacks are usually considered in keeping statistics. These values are generally guessed at and argued over, but no scientifically accurate studies have been done because they are not properly funded and respondents are often less than candid. Business (and government) is a confidence game, in which the release of the fact of a $100,000,000 loss occurred, would cause substantial harm due to a loss of confidence in the company reporting such a loss. Somehow, promises of confidentiality just don't convince people to be candid.
Once values have been determined, threats and their attack frequencies are listed as rows in a table, with assets and their corresponding impact values listed as columns in the same table. Each impact area is given a separate chart, with entries formed for each applicable threat by looking up the (asset value, attack frequency) pair in a chart with $0.03 corresponding to rating (1,1), and the value increasing by a factor of 10 for every step in the X or Y direction. This chart is then summed by row and column to determine expected losses by threat and by asset, and a total expected loss is computed for each impact area. Expected loss is then decreased by the following technique:
1 - Identify threats with the greatest potential for harm. 2 - Identify countermeasures for these threats. 3 - For each countermeasure, estimate the cost of implementation, the resulting change in successful attack frequency, and calculate the projected savings. 4 - Divide the projected savings by the annual cost of the countermeasure to obtain the return on investment. 5 - Develop short and long term plans to implement all cost effective countermeasures, starting with those with the highest return on investment.