From The Secure Arc Wiki

Jump to: navigation, search
Go to Asset DefinitionGo to Asset ValueGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to Asset VulnerabilitiesYou Are HereGo to ThreatsGo to Deterrent ControlGo to Detective ControlGo to Preventative ControlGo to Corrective ControlGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresGo to CountermeasuresBack up to Security Controls

There is only a marginal difference between the charts associated with the Vulnerabilities and the Impact. The key difference is that instead of the volume based Environment score, we're looking at the associated dollar amounts. To get to this point, you need to look back at the Information Asset classification again. In the Vulnerability Environmental score section, we looked at the Information Assets that are impacted and took the highest rated score to assess the Collateral Damage rating. This time, we need to look at the cumulative dollar amounts for each exposed Information Asset.

To put this into perspective, if a Vulnerability exposes 5 different Information Assets, the amount of money that could be lost is not simply the amount associated with the most valuable asset. It is the total of all of those assets that will be exposed. Because we're talking about qualitative and subjective dollar values, we need to talk about ranges of losses rather than a particular figure. With the Environmental Score of the Vulnerability based on specific, well known volumes of Information Assets that are exposed, the 'criticality' of the exposures is finite, exact and quantitative. The dollar values are just educated guesses.

As a result, the Impact table should consist of the Vulnerability ID, the volume of Information Assets exposed and the range outlining the potential losses associated with it. To come up with the lower and upper ranges of the potential losses, look at the impact rating that the volume of Information Assets exposed is associated with and take the lower and upper values from the Revenue Classification table.

For example, if the quantity of Personal Data records exposed by a vulnerability results in a Medium-High impact rating, then the dollar impact is from the Medium-High value up to the High value in the Revenue Classification table for that asset.

If there are a multiple assets associated with a single Vulnerability add up all the lower bound values and all the upper bound values and use those.


Visualizing the Impacts

There are a couple of useful ways to visualise the Impact of the vulnerabilities. As with the Vulnerabilities and their Environmental Score, we can represent all of the Impacts of all Vulnerabilities in a bubble chart. Instead of an Environmental Score metric, we define the bubble size based on the upper bound of the dollar impact of the vulnerability. Consider the size of the bubble to represent the potential size of the impact and the actual value could be anywhere within that scope.

To more concisely describe the ranges and the amounts exposed by each vulnerability, a candlestick chart can be utilized. It's worth highlighting that the largest potential losses also have the largest range of potential losses and the more margin for error.


Up Next

At this stage we have some fairly solid, albeit subjective and qualitative, potential losses associated with each Vulnerability. The next step is to do something about it. The charts presented above should provide the details required to prioritize the issues to be addressed. To actually make a decision on what Countermeasures to put in place, we need to determine how best to reduce the exposure and impact of these Vulnerabilities and compare the cost to implement those Security Controls with the potential losses of not doing so.

This is explained in the Countermeasures phase.


Personal tools