In every organization, there are critical resources that must be identified and protect in order to support the organization's business functions. Every identified asset must be valued, and an asset value can be either tangible or intangible.
A tangible asset value is one that has an assigned monetary value and has a physical presence within the organization. The asset is valued based on its original cost minus depreciation. For example, how much would it cost to replace a web server?
An intangible asset value is one that is not physical, and it is hard to assess a monetary value to it. Therefore, when an organization wants to assess the value of an intangible asset, the organization should hire a financial professional. Examples of intangible asset value include trademarks, brand recognition, intellectual property, or patents.
Because risk is a cost-weighted measure of vulnerability, planners assign cost factors to recognized vulnerabilities according to the impact each might have on the organization's employees, facilities, customer base, or key business processes. An impact analysis with more specific categories might be developed to any arbitrary degree of detail using the many analysis tools available. A notional risk analysis tool may produce total risk scores by extending the previous vulnerability analysis.
In the example presented in the table below, cost factors and relative likelihood scores are multiplied across the vulnerability from left to right to quantify the risk associated with each specific vulnerability. In this analysis, a cost factor of 1 equates to "no effect." The far right column displays the total risk score. BP1, BP2, and BP3 stand for business processes 1, 2, and 3, respectively.
Risk Analysis | Employees | Facilities | Customers | BP1 | BP2 | BP3 | Total Risk | |
---|---|---|---|---|---|---|---|---|
Threat | Relative Likelihood | Cost | Cost | Cost | Cost | Cost | Cost | Total Risk |
VFLOOD4N | 3 | 1 | 3 | 1 | 1 | 2 | 1 | 18 |
VFIRE2Y | 3 | 3 | 2 | 1 | 4 | 1 | 1 | 72 |
VFIRE4Y | 1 | 1 | 2 | 1 | 2 | 2 | 2 | 16 |
VPOWER3Y | 2 | 2 | 2 | 3 | 4 | 4 | 2 | 1152 |
Source: UMGC course IFSM432 |
Cost factors representing the impact analysis for individual vulnerabilities are another area where you rely upon subjective judgments. For any given threat event, the impact on employees can range from a minor inconvenience, to financial difficulty, to injury, or even death. Similarly, disruption to a facility may prompt a simple safety inspection, a small repair, large-scale remodeling, or an entire demolition and reconstruction operation.
Due to natural interdependencies among employees, customers, suppliers, facilities, and equipment, a seemingly small vulnerability may end up disrupting one or more business processes. Therefore, planners must strive for a well-reasoned impact analysis for each specific vulnerability.