RISK ANALYSIS

The AIS facility upper management should begin development of the security program with a risk analysis. A risk analysis, as related to this chapter, is the study of potential hazards that could threaten the performance, integrity, and normal operations of an AIS facility. Experience at various commands shows that a quantitative risk analysis produces the following benefits:

l Objectives of the security program relate directly to the missions of the command.

l Those charged with selecting specific security measures have quantitative guidance on the type and amount of resources the AIS facility considers reasonable to expend on each security measure.

l Long-range planners receive guidance in applying security considerations to such things as site selection, building design, hardware configurations and procurements, software systems, and internal controls.

l Criteria are generated for designing and evaluating contingency plans for backup operations, recovery from disaster, and dealing with emergencies.

l An explicit security policy can be generated that identifies what is to be protected, which threats are significant, and who will be responsible for executing, reviewing, and reporting the security program.

Loss Potential Estimates

The first step to consider when preparing the risk analysis is to estimate the potential losses to which the AIS facility is exposed. The objective of the loss potential estimate is to identify critical aspects of the AIS facility operation and to place a monetary value on the loss estimate. Losses may result from a number of possible situations, such as:

l Physical destruction or theft of tangible assets. The loss potential is the cost to replace lost assets and the cost of delayed processing.

l Loss of data or program files. The loss potential is the cost to reconstruct the files, either

o l l

from backup copies if available or from source documents and possibly the cost of delayed processing.

Theft of information. The loss potential because of theft is difficult to quantify. Although the command itself would sustain no direct loss, it clearly would have failed in its mission. In some cases, information itself may have market value. For example, a proprietary software package or a name list can be sold.

Indirect theft of assets. If the AIS is used to control other assets, such as cash, items in inventory, or authorization for performance of services, then it may also be used to steal such assets. The loss potential would be the value of such assets that might be stolen before the magnitude of the loss is large enough to assure detection.

Delayed processing. Every application has some time constraint, and failure to complete it on time causes a loss. In some cases the loss potential may not be as obvious as, for example, a delay in issuing military paychecks.

To calculate the loss potential for physical destruction or theft of tangible assets, AIS technical managers and upper management should construct a table of replacement costs for the physical assets of the AIS facility. The physical assets usually include the building itself and all its contents. This tabulation, broken down by specific areas, helps to identify areas needing special attention. While the contents of the typical office area may be valued at $100 to $500 per square foot, it is not unusual to find the contents of a computer room are worth $5,000 to $10,000 per square foot. The estimate is also helpful in planning for recovery in the event of a disaster.

The remaining four loss potential types listed are dependent on the characteristics of the individual data processing tasks performed by the AIS facility. AIS technical managers should review each task to establish which losses a facility is exposed to and which factors affect the size of the potential loss. Call on users to help make these estimates.

To make the best use of time, do a rapid, preliminary screening to identify the tasks that appear to have significant loss potential. An example of preliminary estimates is shown in table 4-1.

Having made a preliminary screening to identify the critical tasks, seek to quantify loss potential more precisely with the help of user representatives familiar with the critical tasks and their impact on other activities. Mishaps and losses that could occur should be considered, on the assumption that if something can go wrong, it will. The fact that a given task has never been tampered with, used for an embezzlement, or changed to mislead management in the command is no assurance that it never will be. At this stage of the risk analysis, all levels of management should assume the worst.

Threat Analysis

The second step of the risk analysis is to evaluate the threats to the AIS facility. Threats and the factors that influence their relative importance were listed earlier in this chapter. Details of the more common threats are discussed later in this chapter and, to the extent it is available, general information about the probability of occurrence is given. Use these data and higher authority instructions/manuals and apply common sense to develop estimates of the probability of occurrence for each type of threat.

Table 4-1.-Example of Preliminary Estimates of Loss Potential

While the overall risk analysis should be conducted by the AIS technical manager, other personnel at the AIS facility can contribute to the threat analysis, and their help should be requested. Table 4-2 includes a list of common threats at a shore AIS facility, with space for listing the agency or individual to contact should the need arise. Your AIS facility should have a similar list with local contacts of help and information.

Annual Loss Expectancy

The third step in the risk analysis is to combine the estimates of the value of potential loss and probability of loss to develop an estimate of annual loss expectancy. The purpose is to pinpoint the significant threats as a guide to the selection of security measures and to develop a yardstick for determining the amount of money that is reasonable to spend on each of them. In other words, the cost of a given security measure should relate to the loss(es) against which it provides protection.

To develop the annual loss expectancy, construct a matrix of threats and potential losses. At each intersection, ask if the given threat could cause the given loss. For example, fire, flood, and sabotage do not

cause theft-of-information losses; but, in varying degrees, all three result in physical destruction losses and losses because of delayed processing. Likewise, internal tampering could cause an indirect loss of assets. In each case where there can be significant loss, the loss potential is multiplied by the probability of occurrence of the threat to generate an annual estimate of loss.

Remedial Measures Selection

When the estimate of annual loss is complete, AIS upper management will have a clear picture of the significant threats and critical AIS tasks. The response to significant threats can take one or more of the following forms:

Alter the environment to reduce the probability of occurrence. In an extreme case, this could lead to relocation of the AIS facility to a less-exposed location. Alternatively, a hazardous occupancy adjacent to or inside the AIS facility could be moved elsewhere.

Erect barriers to ward off the threat. These might take the form of changes to strengthen the building against the effects of natural disasters,

Table 4-2.-Threat Help List

saboteurs, or vandals. (See the Security Manual and OPNAVINST 5530.14 for evaluation guidelines.) Special equipment can be installed to improve the quality and reliability of electric power. Special door locks, military guards, and intrusion detectors can be used to control access to critical areas.