The paradox of the probability of occurrence
Press release 10/5/2006
What is the probability of the newly installed server breaking down, of unauthorised persons breaching the server room or of confidential information getting into the wrong hands? Under serious aspects, these and similar questions in the context of information technology can often only be answered after several years of experience. However, in order to perform real-time IT risk management, this information is required today and not in three years’ time. Numerous spontaneous discussions revolved around this paradox at the IT Risk Management Forum 2006 in Cologne.
Garbage in - garbage out If one takes a look behind the scenes, there are basically two methods that dominate in practice at well-known companies.
On the one hand, the ‘low – medium – high’ estimation or, on the other, the specification of a fictitious number based on a gut feeling. These are values that are mostly entered into systems (software tools for support) and do not adequately image the risk probability. To quote a well-known IT principle, ‘garbage in – garbage out’ just about sums up these methods.
The solution using the CRISAM method
The basic principle of the CRISAM® method represents the ‘state of the art’ (see digression), which is used as a reference measure and expressed in the form of the Standard & Poors rating model. The deviations (over or under-fulfilment) are evaluated against the state of the art by means of an audit during the risk analysis. The quality level (deviation from the state of the art) determined in this manner is referred to in order to calculate the probability of occurrence. Hence, the quality of the risk object directly determines the probability of the occurrence of a possible threat.
*DIGRESSION: State of the art is the development status of advanced processes, facilities or operating methods that allows the apparent assurance of the practical suitability of a measure to protect the health of employees. In determining the state of the art, comparable processes, facilities and operating methods that have been successfully proven in practice are to be referred to in particular.
What does Wikepedia say about ‘state of the art’? The state of the art is a technical clause and represents the technical possibilities at a certain point in time on the basis of secured findings from science and technology. It can be found in many regulations and contracts and is precisely defined by the regulations on legal formality.
State of the art also means that it is economically feasible. This does not mean that every company can afford the state of the art, but the majority of those in the industrial sector concerned can. State of the art is the development status of advanced processes, facilities or operating methods that allows the overall apparent assurance of the practical suitability of a measure with regard to the aspired goals (e.g. the goals of labour protection, environmental protection, security for third parties, profitability: i.e. in general in order to attain a generally high level in relation to the aspects to be considered). For IT risk management, CRISAM refers to information from the German BSI Basic Protection Manual, the ISO 27000 series of standards, ITIL, Cobit and the Austrian Security Manual.
