When calculating information asset risk, does the formula C x I x A x (T xV) work?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ....., I agree with the previous comments. Quantitative risk calculation can only get serious when you define your input variables in details. The C x I x A x T x V formula you have mentioned will give you some numbers like any other combination based on your definition with availability vulnerability etc. but I do not recommend using this formula. You need to add the probability and the impact components of vulnerabilities for a better calculation (if they are not a part of your vulnerability definitions) If it is possible, I recommend using a proven risk management framework. Even in this scenario you need to set your definitions and customize the framework.
A good start address: http://wwwt.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf
Basically asset risk can be calculated with the answers of the following questions (from infosec handbook): What could happen? (What is the threat?) How bad could it be? (What is the impact or consequence?) How often might it happen? (What is the frequency?) How certain are the answers to the first three questions? (What is the degree of confidence?) Here is a more common approach that you can formulize your risk calculation at high level: Asset: Target of protection Asset Value (AV): Cost or replacement cost of your assets Exposure Factor (EF): Percentage of asset value that might be lost if things go wrong Single Loss Expectancy (SLE): Money lost if risk happens, SLE = Asset Value (AV) x Exposure Factor (EF) Annualized Rate of Occurrence (ARO): This is the frequency element of risk. (Number of repetitions of a risk factor in a unit of time/year), for example probability of a major flood vs. operator typing wrong password is different. The Annualized Loss Expectancy (ALE): When you multiply your expected loss with frequency you get the cost of risk on an asset over a 1 one year period, ALE = SLE x ARO A Google search on these keywords (ale aro sle) brings out several examples. As I have stated above, even the most quantitative method is relative but the attempt to normalize and measure risk is a very good start. Let me know if you have a specific question. regards, - yinal ozkan”