Home page logo

basics logo Security Basics mailing list archives

RE: Getting the value of an asset and the probability of a risk to it
From: "Rivest, Philippe" <Rivestp () metro ca>
Date: Tue, 20 May 2008 10:21:54 -0400

Good day to you all,

        two of my main questions stills hold unanswered.

--Question 1--
#Last question, i understand that the human are the enterprises most valuable asset. If so, how much would one value's 
anothers life in a #quantitative evaluation. 
(i would also be curious to know if this would be politicly correct to say that a lumber worker is worth 125 000$ (life 
value) and that his director is worth 150 000$ to the compagny. And if not, how would you use the data in a 
quantitative assestment with these value)

--Question 2--
#Also in link to this question, if you value the life of someone to X, would you stop investing in protection at X or 
#X-1$ or would you go as #far as you can (considering that this could put a serious bill up). Would you consider human 
in a risk assesment?
I would like to clarify that a protection of an asset should cost less then the value of the asset, hence if a life is 
valued at X how can you justify X++$ and more importantly if you go over the value of the life where do you stop and 
how do you justify stoping?)

Thanks for all the great feedback i have gotten, for all those who would like to know heres a PDF (that i have yet to 
read) that one of you kindly shared to me. So for everyone else:


Again many thanks, hoping to get this juicy question answered :P


Philippe Rivest, Certified Ethical Hacker

Analyste en sécurité de l'information

Métro Richelieu


►Avant d'imprimer, demandez-vous si c'est nécessaire!

►Before printing, ask yourself if you really need to!

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Craig Wright
Envoyé : samedi 17 mai 2008 20:49
À : Jon.Kibler () aset com; Sergio Castro; security-basics () securityfocus com; Rivest, Philippe
Objet : RE: Getting the value of an asset and the probability of a risk to it

So the real question Jon.

How do you do any qualitative risk modelling that is not a measure of perception or laughable?


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au 

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.
-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jon Kibler
Sent: Saturday, 17 May 2008 12:01 PM
To: Sergio Castro; security-basics () securityfocus com; Rivestp () metro ca
Subject: Re: Getting the value of an asset and the probability of a risk to it

Hash: SHA1

Sergio Castro wrote:
Hi Philippe,

The only true way of doing a quantitative risk assessment on an asset is using statistics.

In theory, yes.

In reality, it just doesn't work that way.

For example: Historically, the chances of a Windows box on a secure network getting rooted were less than 1 in 100,000. 
But if you use that as a basis for computing future risk, I would argue that the historical data has absolutely zero to 
do with reality today or in the future.

I would suspect that within the next 12 to 24 months, the chances of a Windows box on a secure network getting rooted 
are about 1 in 1,000. So, if you use statistics based on historical data, your risk assessment is off by two orders of 
magnitude! (These numbers are for illustrative purposes only! I just created these numbers by AE, but they are probably 
within an order of magnitude of being correct.)

So, when projecting risk for the next 5 years, from where do you get the data to form your statistical basis for risk?

Another example: A couple of years ago I heard Gadi Evron talk about hardware rootkits (in BIOS, Video NRAM, NICs, 
Routers, etc.). Most people laughed at the idea. And now, what is the big anticipated talk at EusecWest? IOS Rootkits.

Again, how do you base risk on historical data, or do any type of risk modeling when historical data is not applicable 
today and no one has a reasonable guess for the future? To use statistics, it has to be based on data. When historical 
data is not representative of current / future risk, it is not a valid basis for forming statistical projections -- of 
risk, or anything else for that matter.

As I said previously, it is essentially impossible in today's I.T.
security environment to do quantitative risk assessment that stands any chance of passing the laugh test.

Except perhaps for risks associated with Mother Nature. And with climate change, who knows how accurate those data will 

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]