Loss in an organization
The value that should be used when it comes to information assets within an organization is definitely the lost income that will come about when it comes to repairing or replacing the asset. While considering costs is quite important, the true value of and information asset lies in how much income it generates, therefore its impact on revenue and profitability and the public image impact not having the asset will cause. A good example would be a server; not having an operational server would hamper almost all the operations within an organization, this would not only result in loss of revenues and profits but would also negatively impact the public image of the organization, leading to further losses of potential revenues and profits. The worth of the server cannot, therefore, simply be the cost of repairing or replacing it, as the value is hinged on the critical role it plays within the organization, not just when it comes to revenue generation but also in maintaining a good public image..
The likelihood value of a vulnerability that must no longer be considered is 0. This therefore means that the likelihood of a particular vulnerability being successfully attacked is zero and as such the vulnerability must be removed from the list of potential vulnerabilities. The vulnerability is therefore of no value to the organization as it has no potential to result in any form of loss to the company, meaning it is of no consequence to the bigger picture.
Benchmarking is usually superior to cost benefit analysis in cases where the organization resembles the target organization when it comes to best practice, both organizations are operating within similar threat environments, the resources within the two organizations are similar. In cases where similar best practices are employed, organizations are likely to encounter similar challenges, making benchmarking or baselining superior to the hypothetical cost benefit analysis. Further, operation within similar environments means similar vulnerabilities, therefore using another organization as a benchmark can actually help ion the identification of vulnerabilities that might have otherwise gone undetected, giving the organization an edge when it comes to putting controls in place. It is however important that both organizations have similar resources for benchmarking to be done effectively. A cost benefit analysis will not really capture all the market factors that benchmarking would in casers where the conditions described above have been met, meaning if all the conditions described above are met, benchmarking would be superior to a cost benefit analysis.
An organization’s risk appetite is defined by its willingness or lack thereof to deal with known risks. The manner in which organization’s approach known risks may differ and may range from tolerating the risk, transferring the risk, treating it or even removing it. The organizations that opt to tolerate the risk are the one’s that have the highest risk appetite. Knowing the organization’s risk appetite essentially puts one in a good position when it comes to the development of strategy, as it allows one to know which risks must be removed, tolerated, transferred or even treated. The final strategy developed is therefore better suited for the management and more harmonious thus ensuring they are effective. Knowing the risk appetite of the organization also allows one to chose which vulnerabilities need to be dealt with depending on which potential losses the organization considers acceptable.
1. i) Paper files: Are of medium value
ii) Shared drives: Are of critical value
iii) Electronic Document Management Systems: Are of critical value
iv) Electronic records in the form of emails, personal drives, audio recordings and photo collections, all of medium importance.
v) Published as well as unpublished literature: Both would be of critical importance