Security in any system should be proportionate with its risks. However, the process to determine which security controls are appropriate and cost effective, is quite often
a complex and sometimes a subjective matter. One of the prime functions of the Polar security risk analysis is to approach this process in a more objective view.
There are a number of distinct approaches to the risk analysis which we follow. However, these essentially break down into two types: quantitative and qualitative.
Quantitative Risk Analysis
This approach employs two fundamental elements; the probability of an event occurring and the likely loss should it occur.
Quantitative risk Analysis
This approach makes use of a single figure produced from these elements. This is called the ‘Annual Loss Expectancy (ALE)’ or the ‘Estimated Annual Cost (EAC)’. This is calculated for an event by simply multiplying the potential loss by the probability.
It is thus theoretically possible to rank events in order of
risk (ALE) and to make decisions based upon this.
The challenge with this type of risk analysis are usually associated with the unreliability and inaccuracy of the data. Probability can rarely be precise and can, in some cases, promote complacency. In addition, controls and
countermeasures often tackle a number of potential events and the events themselves are frequently interrelated. Qualitative Risk Analysis is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used.
The POLAR AFPRO SECURITY qualitative risk analysis methodologies make use of a number of interrelated elements:
These are things that can go wrong or that can ‘attack’ the security system. Examples might include fire or security. Threats are ever present for every system.
These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials etc.
Assets – Controls
Polar Afpro Security uses 4 types of countermeasures for vulnerabilities:
a) Deterrent controls reduce the likelihood of a deliberate
b) Preventative controls protect vulnerabilities and make
an attack unsuccessful or reduce its impact
c) Corrective controls reduce the effect of an attack d) Detective controls discover attacks and trigger preventative or corrective controls.