Extracted 27SEP2011 from http://riskmanagementinsight.com/riskanalysis/?p=641

The whole concept of asset valuation (as it exists for information security) is predicated on the assumption that acquisition cost is a good constituent factor of security risk. So, how do we evaluate the asset valuation landscape?

Let’s start with our international standard for risk assessments: ISO 27005. There is a relatively lengthy discussion of asset valuation in Appendix B.2 (read here for Alex’s 27005 review). This is encouraging, however the discussion very quickly devolves from “what does it cost to replace this” to what they term “consequences.” Consequences are what happen as a result of having the asset. What does this mean? Well, they offer a list of things that may help (they make a point to let you know this might not be a complete list):

• Interruption of service
• Inability to provide the service
• Loss of customer confidence
• Loss of credibility in the internal information system
• Damage to reputation
• Disruption of internal operation
• Disruption in the organization itself
• Additional internal cost
• Disruption of a third party’s operation
• Disruption in third parties transacting with the organization
• Inability to fulfill legal obligations
• Inability to fulfill contractual obligations
• Danger for the organization’s personnel and / or users
• Attack on users’ private life

[The author of this post compares this framework to Factor Analysis of Information Risk (see http://fairwiki.riskmanagementinsight.com/), referred to as FAIR, because he is unconvinced that the subjectivity and complexity of ISO 27005, in practice, leads to actionable situation assessments and expeditious decision making.]