Security breaches can occur either because of defective software designs, bad configurations of systems, defective communication protocols, lack of awareness of security procedures or recklessness, improper procedures, and so forth (Pedro & Ashutosh, 2010). A series of measures (otherwise known as models) and metrics have been formulated to tighten security. Their purpose is to provide a means to evaluate the process and ways of tightening security as well as evaluating outcome (i.e. whether security has, indeed, been improved). These models and metrics have resulted in improved outcome in achieving information assurance and security. The difference between models and metrics is that whilst models provide measurements at a single point in time of discrete factors, metrics are the derivation of comparisons of two or more measurements taken over a period of time. Models, in other words, come as a result of counting, whilst metrics are generated by analysis or stated still another way; measurements are raw digits and facts whilst metrics are objective or subjective interpretations of these data points (Chowdhary & Mezzeapelle, n.d.).
There are various types of models and metrics. These include:
1. Implementation measures that are used in connection with implementing information security programs, specific security controls, and similar policies and procedures. Operational metrics are developed from these measures and are usually quantitative in nature and pertaining to business unit managers, security in the business unit, and security managers.
2. Effectiveness / efficacy measures that assess whether program-level processes and system-level security controls are used correctly and providing the desired outcome. Efficacy metrics are derived from these.
3. Business impact measures that are used to describe the impact of information security on an organization's goals. Business-centric metrics are developed from these measures and are usually practical, comprehensive and analytical with the audience generally consisting of senior executives and other leading personnel (Chowdhary & Mezzeapelle, n.d.)
There are many different quantitative and qualitative metrics designed to assess and reduce risk. Both types -- qualitative and quantitative -- have their advantages and disadvantages. One of the most well-known of the quantitative risk metrics is that that deals with calculation of annual loss expectancy (ALE) (Bojanc & Jerman-Blazoc, 2008). ALE calculation determines the monetary loss associated form a single occurrence of the risk (popularly known as the single loss exposure (SLE)). The SLE is a monetary amount that is assigned to a single event that represents the amount that the organizations will potentiality lose when threatened. For intangible assets, this amount can be quite difficult to assess.
The SLE is calculated by multiplying the monetary value of the asset (AV) with the exposure factor (EF). The EF represents the percentage of loss that a threat can have on a particular asset. The equation, therefore, is thus: SLE=AV*EF. Applying this practically, if the AV of an e-commerce web server is $50,000 and a virus infection caused a loss of 35%, the SLE, in this case, would result in $17, 500.
Once the SLE has been calculated, the organization then consults the Annual Rate of Occurrence (ARO) in order to assess the possibility of this particular risk occurring doing 1 year. If nothing is done to mitigate it. The calculation to determine that is ALE= SLE*ARO.
You’re 85% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.