Security - Telenor
Security - Telenor
Security - Telenor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Firstly, the aggregate risk exposure for a given<br />
time period should be presented when the previous<br />
analyses are quantitative. Aggregate risk exposure<br />
is defined as<br />
Aggregate risk exposure<br />
= Σ T (frequency * consequence)<br />
where Σ T is the summation of the T threats (in<br />
this article a threat includes vulnerabilities and<br />
unwanted events), frequency is the number of<br />
expected incident in a given time period and<br />
consequence is the economic consequence per<br />
incident.<br />
Secondly, the exposure description should be<br />
as clear, concise and informative as possible.<br />
Therefore, while the aggregate risk exposure is<br />
precise, it is not informative in terms of individual<br />
threats. To this end, the individual risks can<br />
be presented in a table, a matrix or in a verbal<br />
narrative.<br />
Thirdly, the exposure description must follow<br />
a format similar to the decision-maker’s acceptance<br />
criteria. Acceptance criteria are ideally expressed<br />
by the decision-maker before the risk<br />
analysis starts, and they represent the level of<br />
risk the decision-maker can accept.<br />
There is usually not enough data to support stating<br />
the aggregate risk as a single number. In<br />
addition, many of the finer points of the analysis<br />
are lost when the result is aggregated into a single<br />
number. Tabulated risks are effective only<br />
when the decision-maker is comfortable with<br />
this format, and verbal descriptions are often too<br />
verbose. Therefore, <strong>Telenor</strong> recommends using a<br />
risk matrix to present the acceptance criteria and<br />
the risk exposure; see Figure 2.<br />
The two axes are frequency and consequence.<br />
The granularity of the axes must be suitable for<br />
the purpose of the analysis. Usually four or five<br />
suitably labelled intervals are sufficient. Each<br />
threat is then plotted according to the result of<br />
the frequency and consequence analysis.<br />
It is vital to ensure that the verbal label one<br />
assigns to the intervals is acceptable to the<br />
reader. For instance, the label Insignificant is<br />
probably offensive when the consequence of a<br />
threat is life threatening injuries or permanent<br />
disability.<br />
It is also necessary to explain what the labels<br />
mean. For instance, Possible might mean “between<br />
1 and 10 occurrences per decade”, and<br />
Substantial could be “between NOK 100,000<br />
and NOK 250,000 per incident”. The expected<br />
economic risk of a threat plotted in the cell possible/substantial<br />
in this example is between<br />
Telektronikk 3.2000<br />
Consequence<br />
Insignificant<br />
Substantial<br />
Serious<br />
Disastrous<br />
NOK 250,000 and NOK 10,000 per year. The<br />
analyst will have to assign a qualitative meaning<br />
to the label if it is not possible to quantify the<br />
threats. For instance, Disastrous might mean<br />
“National media will have a feeding frenzy leading<br />
to significant loss of reputation to <strong>Telenor</strong>,<br />
discontinued service of the TOE and customers<br />
claiming substantial monetary compensation in<br />
addition to a significant number of customers<br />
fleeing from other <strong>Telenor</strong> products or services”.<br />
A decision-maker usually hesitates to implement<br />
remedial action unless the cost of loss prevention<br />
is less than or equal to the risk exposure.<br />
Therefore, the risk exposure should be stated in<br />
economic terms whenever possible – in addition<br />
to the risk matrix.<br />
In a real world of risk analysis it is often necessary<br />
to assign both qualitative and quantitative<br />
definitions to the labels.<br />
Deciding Whether a Risk<br />
is Acceptable<br />
Deciding what is acceptable is the decisionmaker’s<br />
responsibility. As mentioned previously,<br />
the decision-maker should express the<br />
acceptance criteria before the analysis begins.<br />
When this is done, the risk analysis team can<br />
determine whether a risk is acceptable or not,<br />
without setting up a meeting with the decisionmakers.<br />
A recommended format for the acceptance criteria<br />
is the risk matrix. The unacceptable risk<br />
exposure is quite simply shaded, in Figure 3 the<br />
unacceptable risk exposure is shaded in a darker<br />
colour. The decision-maker’s intentions are easily<br />
understood: Any threat plotted in a shaded<br />
area is unacceptable.<br />
Recommending Loss Reduction<br />
Measures<br />
The plotted acceptance criteria, which describe<br />
the level of risk a decision-maker accepts, and<br />
the risk exposure of each individual threat will<br />
reveal whether<br />
Frequency<br />
Improbable Possible Usual Common<br />
Figure 2 Risk matrix<br />
71