The topic of this week's seminar was quantifying and prioritizing loss potential.
Sub topics were
presented in order for us to perform this. We initially went over risk and threat analysis. During this step, it is important to establish what is being protected (asset) and what threatens this asset. Additionally, we must take care to analyse the likelihood of any threats we determine to exist. Next was assessing the criticality, or severity, involved with any loss of the asset. During this process we must approximate dollar values for any loss incurred. A three stage approach followed up regarding meaningful solutions and their dollar values. Essentially, what occurs during this time is shopping around for solutions that can mitigate or prevent and potential loss of assets. The most cost effective solutions will vary based on the assets and likelihood of threats to them. Not all threats are created equally and I believe this to be the most important takeaway from the reading and this seminar. Security budgets aren’t blank checks, and many times companies sacrifice effectiveness in order to save money. This has the obvious effect of increasing the likelihood of loss occurring. Being able to quantify your losses and prioritize what you are willing to lose, allows for efficient allocation of resources and can help minimize the probability that loss will occur, especially when companies skimp on their security budgets.