Managing Cisco Network Security, Second Edition

An attentive network administrator is always looking for the right strategy for information services security. You need to understand the risks you are facing, and assign resources to reduce and manage those risks. To do this correctly, one needs a quantitative security risk assessment. You write down all the potential adverse events, estimate the loss from such events, and calculate the probability of such events occurring. Multiplying the latter and then adding up the results gives a value known as the "Annual Loss Expectation" or "Expected Annual Costs."
For information security, this is a difficult problem on several levels. Writing down every potential adverse event is a complex and time-consuming task. Estimating the loss from such events is no trivial feat either. For risks like fire or earthquake, we at least have data culled over a long period of time. Risks due to information security events, on the other hand, are highly variable, and change over time as new tools emerge and new malicious code is distributed. Insurance companies are busy developing data for new information security insurance, but that data remains regrettably limited.
On the upside, undertakings of this sort produce hard numbers the kind a CEO can appreciate. It's a type of exercise that can be helpful when considering strategies or identifying where security resources should be deployed. Even a simple first-pass approach identify the crucial assets, think about what can go wrong for those assets, figure out some likely scenarios and assign likelihood can help with the decision-making...