One of the most difficult questions that has to be answered in implementing anything new in an IT infrastructure is what is the risk. It doesn’t matter if it’s a few lines of code, a new server or a complete new department – there is a risk and assessing this is crucial to any implementation.
A method that is commonly used particularly in IT projects is that of Quantitative risk assessment the goal of this method is to try and and figure out what the risk is numerically. The key variables to using this method are:
SLE – Single Loss Expectancy
ALE – Annualized Loss Expectancy
Calculating these variables is crucial to using this method, however it takes quite an effort so it’s not something you should do for a single computer for example. It’s more a tool for organisational level changes and can be used effectively in most projects at this scale. It can also be used retrospectively to assess potential damage of security breaches like if someone perhaps was using a ninja proxy inside your network to download or upload illegal software.
These figures are normally easier to obtain in larger organisations, there will usually be a finance department which can provide things like hardware and software budgets very easily. Assessing values of other IT assets like bespoke, in house software can be a little more difficult and will often require an assessment from specialised staff or senior management.
Such software though, is nothing compared to the most difficult and potentially most valuable aspect of any organisation – data. The value of data is often at the very center of an organisation’s purpose, it can be the resultant value of all the employees and possibly the most valuable aspect of any business.
Sometimes a business will need something a little more pragmatic particularly if in larger businesses who need to assess risk quickly. Quantitative analysis gives a sounder foundation for decision making concerning the tolerability of the danger of catastrophic accidents. Qualitative risk analysis is more prevalent than quantitative because of the time and cost involved.