Professional Documents
Culture Documents
Contents
Risk Identification ................................................................................................................................... 1
Asset Value.............................................................................................................................................. 2
Single Loss Expectancy ............................................................................................................................ 2
Likelihood table ....................................................................................................................................... 3
Annual Loss Expectancy .......................................................................................................................... 3
Consequences/Impact table ................................................................................................................... 4
Threat Rating........................................................................................................................................... 4
Risk Identification
In order to detect risk in every SparQ’s departments, we have developed threat
scenarios for each department. The head of every department (HoDs) took this
responsibility by simulating threat scenarios on their own information assets. In order
to do this, a process has been created to assist HoDs
Identifying threats
Developing threat Clarifying type of
and vulnerabilities
scenarios (1) threat (3)
(2)
Asset Value
The list of Asset Value (AV) of every Information Assets (for both tangible and
intangible assets) will be provided from accounting department.
identified threats
By applying the formula SLE = Asset Value (AV) * Exposure Factor (EF), we come
to the list of SLE for each of department.
Likelihood table
A likelihood table has been developed in five level 1 (Almost Certain), 2 (Likely), 3
(Possible), 4 (Unlikely), 5 (Rare). In addition, the frequency of occurrence (ARO)
also integrated with likelihood table to help HoD choosing the ARO that fit with their
threat scenarios.
Consequences/Impact table
A consequence/impact table has been developed to determine threat rating. It came
with five rating: 5 (Insignificant), 4 (Minor), 3 (Moderate), 2 (Major) and 1
(Extreme)
Threat Rating
NOT VALID
FOR
REFERENCE
By mapping the two value Likelihood and ALE, this table help us to determine the
right risk rating for each of threats
For example: The threat ID #101 of CEO’s department have the ARO is 0.3 which is
match with level 4 Unlikely in likelihood table. And the ALE of the ID #101 threat
is 15,000$ which is match with rating 4 (Minor) in the consequence table. By using
MoD: SparQ Created Date: 15/09/2019 SC: INTERNAL
the above “Likelihood&Impact” table, we can map the threat rating by 4 x 4 mean
Minor
Update after consultation with Milton: We will use the Consequence Table to justify
the Risk of an Information Assets.