feature
feature
IT Asset Valuation, Risk Assessment and
Control Implementation Model
The first steps in information security strategic
planning in any form of business are risk
management and risk evaluation. This is necessarily
broad, including business processes, people and
physical infrastructure, as well as the information
system. The security risk evaluation needs to
assess the asset value to predict the impact and
consequence of any damages, but it is difficult
to apply this approach to systems built using
knowledge-based architectures.1 Knowledge-
based systems attempt to represent knowledge
explicitly via tools, such as ontologies and rules,
rather than implicitly via procedural code, the way
a conventional computer program does. Usually,
professionals face challenges to give assurance for
organizations on asset valuation, risk management
and control implementation practices due to the
nonexistence of clear and agreed-on models and
procedures. The main objective of this article
is to propose simple and applicable models for
professionals to measure, manage and follow up
on assets, risk and controls implementation in the
organization.
An ISACA® Journal volume 5, 2016, article titled
“Information Systems Security Audit: An Ontological
Framework”2 briefly describes the fundamental
concepts (owner, asset, security objectives,
vulnerability, threat, attack, risk, control and security
audit) and their relationships to the whole security
audit activities/process. This article proposes
different models that help to measure and implement
concepts objectively by using the previously
proposed ontological framework and empirical study.
The objectives are to identify risk-based auditable
Shemlse Gebremedhin Kassa CISA, CEH
Is a systems and IT auditor for United Bank S.C. and a security
consultant for MASSK Consulting in Ethiopia. He has a
multidisciplinary academic and practicum background in business and
IT with more than 10 years of experience in accounting, budgeting,
auditing, controlling and security consultancy in the banking and
financial industries. Kassa is highly motivated and engaged in IT
security projects and research, and he strives to update current
systems and IT audit developments to keep up with the dynamically
changing world and ever-increasing challenge of cybercrimes and
hacking. He has published articles in local and international journals
including the ISACA Journal.
©2017 ISACA. All rights reserved. www.isaca.org
areas required to carry out asset valuation and to
help measure risk and identification of the existing
control gap of the company’s IT assets for regulatory,
management and audit purposes.
The previous ontological framework briefly presents
concepts hierarchically from asset valuation to
control implementation processes for a specific
asset based on the summarized steps. This article
shows how to take the steps sensibly:
1. Identify the owner and custody of the asset.
2. Identify and list information systems assets of
the organization. (List all interfacing applications,
people, hardware or other containers for each
asset.)
Containers are the place where an information
asset or data “lives” or any type of information
asset (data) is stored transported or processed.3
3. Identify the security objectives of confidentiality,
integrity and availability (CIA) and a weighting
of the asset to conduct an impact assessment
based upon the criticality of the asset to the
operation of the company.
4. Identify the asset’s security categories and its
estimated value.
5. Determine the threat and vulnerability’s
quantitative value and rates.
6. Estimate the probability of occurrence/likelihood
of impact.
7. Identify existing controls and perform a gap
analysis.
Asset Identification, Valuation and
Categorization
Identification, valuation and categorization of
information systems assets are critical tasks of
the process to properly develop and deploy the
required security control for the specified IT assets
(indicate data and container). Organizations or
individuals able to implement security for assets by
using this model must first identify and categorize
the organization’s IT assets that need to be
protected in the security process.
ISACA JOURNAL VOL 3 1
Mapping an information asset (such as data) to all
of its critical containers leads to the technology
assets, physical records and people that are
important to storing, transporting and processing
the asset.4 The map of information assets will be
used to determine all of the information assets
that reside on a specific container. In addition, the
value of a container depends on the data that are
processed and transported (through the network)
or stored (reside) within that specific container.
Security audits should look into how the data or
information is processed, transferred and stored in
a secured manner.5
Security audits
should look into
how the data or
information is
processed, transferred
and stored in a
secured manner.
Risk Assessment and Management
The risk assessment comprises the qualitative
assessment and quantitative measurement of
individual risk, including the interrelationship of their
effects. Risk management constitutes a strategy
to avoid losses and use available opportunities or,
rather, opportunities potentially arising from risk
areas.6 Normally, no single strategy will be able
to cover all IT asset risk, but a balanced set of
strategies will usually provide the best solutions.
Once the risk is identified, it can be evaluated as
acceptable or not. If it is acceptable, no further
actions are required other than communicating and
monitoring the risk, but if the risk is not acceptable,
it must be controlled through four separate options
of prevention and/or mitigation measures:
1. Reduce the impact.
©2017 ISACA. All rights reserved. www.isaca.org
2. Reduce the likelihood.
3. Transfer the risk (to insurance or a subcontractor).
4. Avoid the risk. (Temporarily distancing the target
from the threat summarizes the potential impact
definitions for the CIA security objectives.)
This article discusses risk mitigation strategy based
on the CIA security objectives.
The overall objective of this section is to
quantitatively measure risk impacts of an
organization’s specific IT assets and to propose
a proper mitigation strategy. Concepts from the
International Organization for Standardization (ISO)/
International Electrotechnical Commission (IEC)
ISO/IEC 27001:2013, Information technology—
Security techniques—Information security
management systems—Requirements,7 and
empirical analysis results taken from interviews
with professionals are used to illustrate various
conclusions and approaches to implementation.
Hence, quantitative measurement of risk impact is
implemented based on the following formula:
Risk Impact = Potential Risk * Probability
of Occurrence
Potential Risk
This could be any type of risk that is conceivable
for a business or any risk associated with an action
that is possible in certain circumstances. This risk
also refers to a threat or damage that may occur
on operations of the business. When a business
ISACA JOURNAL VOL 3 2
undertakes any operations within a particular
industry and in specific markets, it faces potential
risk. Risk potential should be estimated without
a detailed consideration of the individual risk, at
as little expense as possible.8 Potential risk is a
product of total asset value, severity of vulnerability
and severity of threat:
Potential Risk = Total Asset Value * Severity
of Vulnerability * Severity of Threat
Probability of Occurrence
This is an estimate of how often a hazardous event
occurs. The likelihood can be expressed in terms of
the frequency of occurrence.9 A review of historic
events assists with this determination. Each hazard
is rated in accordance with the numerical ratings
and definitions shown10 in figure 1.
Asset Valuation
This is a method of assessing the worth of the
organization’s information system assets based on
its CIA security.
Total Asset Value = Asset Value * Weight of Asset
Assumptions for asset valuation include:
• The value of an asset depends on the sensitivity
of data inside the container and their potential
impact on CIA.
• CIA of information will have a minimum value of 1
for each. Enjoying
• The value of levels for CIA are as follows: A rating this article?
of 3 is high, 2 is medium and 1 is low.
• Read COBIT® 5
• The value of the information asset is determined
for Risk.
by the sum of the three (C + I + A) attributes.
www.isaca.org/
cobit-risk
Based on the model, it is possible to create a matrix
for value of an asset as illustrated in figure 2.
• Learn more about,
discuss and
Weight of Asset
collaborate on risk
From interviews and the author’s practical experience, management in the
it can be concluded that the actual value of an asset Knowledge Center.
is determined by the sensitivity value of data in the www.isaca.org/risk-
container. The reason is that all similar containers management
are not equally important to the organization, and
the value of a container is determined by the data
it holds, processes or transfers. For example,
servers with equal capacity, technology and cost
may have different weights due to the data they
hold, process or transfer. A database containing
employee information may have less value than one
containing customer transactions. Equally, data on
prominent customers may have more value than data
on ordinary/walk-in customers, based on business/
organizational objectives.

Figure 1—Model for Measuring Value of an Asset Based on CIA

Security Objective Low (Rating of 1) Medium (Rating of 2) High (Rating of 3)
Confidentiality Limited adverse effect on Serious adverse effect on Severe or catastrophic
The unauthorized disclosure organizational operations, organizational operations, adverse effect on
of information/data could be assets or individuals. assets or individuals. organizational operations,
expected to have a: assets or individuals.
Integrity Limited adverse effect on Serious adverse effect on Severe or catastrophic
The unauthorized modification organizational operations, organizational operations, adverse effect on
or destruction of information/ assets or individuals. assets or individuals. organizational operations,
data could be expected to assets or individuals.
have a:
Availability Limited adverse effect on Serious adverse effect on Severe or catastrophic
The disruption of access to or organizational operations, organizational operations, adverse effect on
use of information/data or an assets or individuals. assets or individuals. organizational operations,
information system could be assets or individuals.
expected to have a:
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.

ISACA JOURNAL VOL 3 3

©2017 ISACA. All rights reserved. www.isaca.org
 Figure 2—CIA Matrix
Confidentiality Low (1) Medium (2) High (3)
Integrity L M H L M H L M H
Low (1) 3 4 5 4 5 6 5 6 7
Availability

Medium (2) 4 5 6 5 6 7 6 7 8
High (3) 5 6 7 6 7 8 7 8 9
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.

Therefore, to evaluate the sensitivity of assets, the

Figure 4—Total Asset Weight Matrix
concept of “weight” or “weighting” was developed,
which helps to measure each asset’s value based Total Asset Value
on the data it holds/processes compared to other Asset Value 3 4 5 6 7 8 9
assets. To measure the value of the asset’s weight, 1 3 4 5 6 7 8 9
the rating concepts shown in figure 3 can be
Weight 2 6 8 10 12 14 16 18
used—3 for high, 2 for medium and 1 for low—to
show value of a specific asset as compared to the 3 9 12 15 18 21 24 27
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
another asset, based on business objectives. This
concept differentiates this approach for the asset
valuation concept. Asset Categorization
At this stage, the organization should categorize
Figure 3—Model to Measure Weight assets in three levels based on the total asset value
of an Asset determined in the total asset matrix table. The
Weight Rate Description category of an asset indicates the level of concern
Low 1 The value of data in the container is that needs to be given to that asset. Therefore,
low/nonexistent based on business more security implementation, investment or
objectives, as compared to another attention would be given to category I assets
similar container’s data value. (value of the total asset between 20 and 27) than
Medium 2 The value of data in the container to category II assets (between 12 and 18, inclusive,
is medium based on business the highlighted amounts in figure 4) and to category
objectives, as compared to another III (value of 10 or less) assets. From figure 4, it can
similar container’s data value.
be concluded that the total asset value ranges from
High 3 The value of data in the container is 3 (minimum) to 27 (maximum).
high based on business objectives,
as compared to another similar
container’s data value. Vulnerability and Threat Assessment
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
and Rating Methodology
The presence of vulnerability does not in itself
Therefore, according to the CIA matrix and the
cause harm; vulnerability is merely a condition
weight of an asset model, it is possible to determine
or a set of conditions that could allow assets to
the following total asset value using an asset weight
be harmed by an attack.11 When a vulnerability is
matrix table as shown in figure 4.
exploited by a threat, it increases the likelihood of
attack and leads to risk.12 Vulnerability rating gives
an indication or opportunity to see the weakness
inherent or residing in the information assets of the
organization.

ISACA JOURNAL VOL 3 4

©2017 ISACA. All rights reserved. www.isaca.org
Vulnerability and threat valuation assumptions
include:
• The same 1 to 3 rating scale will be used, in which
a specific vulnerability or threat rated as high is
assigned a 3, medium a 2 and low a 1 (figure 5).
• The severity of the threat and the vulnerability is
graded as very low (1), low (2), medium (3), high
(4) and very high (5) (figure 6).
Vulnerability Rating Factors
standards, poorly managed flammable liquids and
poor circuit insulation are some of the weaknesses
(vulnerabilities) or factors that help the fire threat to
happen and cause damage.
Exposure (attacker access to the flow) is the
potential exposure to loss, resulting from the
occurrence of one or more threat events. It may be
disseminated across other system components.
Figure 5 depicts a model to rate the susceptibility
and exposure of a flow or vulnerability of an asset.

Vulnerability is the intersection of three elements: a
system susceptibility or flaw, attacker access to the
flaw, and attacker capability to exploit the flaw.13
Susceptibility is simply to measure the effort
required to successfully exploit a given weakness.
For example, fire is a threat. Poor fire prevention
To measure the overall value of the severity of
a vulnerability, the combination of the value of
susceptibility and exposure rating must first be
decided, as shown in figure 7. (Note: This rating
table is similarly used for threat factors [impact
and capability rating] in the following threat
assessment section.)

Figure 5—Model for Susceptibility and Exposure Ratings

SUSCEPTIBILITY
Minor susceptibility: Vulnerability requires significant
resources to exploit with little potential for loss.
Moderate susceptibility: Vulnerability requires
significant resources to exploit with significant potential
for loss. Or, vulnerability requires little resources to
exploit, moderate potential for loss.
High susceptibility: Vulnerability requires few
resources to exploit with significant potential for loss.
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
Rating EXPOSURE
1 Minor exposure: Effects of the vulnerability are
tightly contained and do not increase the probability of
additional vulnerabilities being exploited.
2 Moderate exposure: Vulnerability can be expected to
affect more than one system element or component.
Exploitation increases the probability of additional
vulnerabilities being exploited.
3 High exposure: Vulnerability affects a majority of system
components. Exploitation significantly increases the
probability of additional vulnerabilities being exploited.

Figure 6—Model for Severity of Vulnerability Grading

Rating Grade Description
1 Very low (VL) Minor exposure, minor susceptibility
2 Low (L) Minor exposure, moderate susceptibility; or moderate exposure, minor susceptibility
3 Medium (M) Highly exposed, minor susceptibility; or minor exposure, high susceptibility; or moderate
exposure, moderate susceptibility
4 High (H) Highly exposed, moderate susceptibility; or moderate exposure, high susceptibility
5 Very high (VH) Highly exposed, high susceptibility
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.

ISACA JOURNAL VOL 3 5

©2017 ISACA. All rights reserved. www.isaca.org

Figure 7—Model for Vulnerability Rating
(Combinations of Susceptibility and
Exposure Rating)
Exposure Rating
Susceptibility Rating 1 2 3 and impact should also be considered for threat
1 1 2 3
2 2 3 4
3 3 4 5
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
Threats Assessment and Rating
Methodology
A general list of threats should be compiled, which
is then reviewed by those most knowledgeable
about the system, organization or industry to identify
those threats that apply to the system.14 Each threat
is derived from a specific vulnerability, rather than
identifying threats generally without considering
vulnerability. Measuring the value of a threat depends
on the rating value of its impact and capability.
Impacts are a forceful consequence or a strong effect
of the launch of a threat on the business.
Capability is a measure of a threat agent’s ability
(including the level of effort required) to successfully
attack an asset by exploiting its vulnerabilities, e.g.,
Figure 8—Model for Capability and Impact of Threat Ratings
CAPABILITY
Little or no capability such as knowledge, resource or
technical skill to launch a threat on a given information
asset of the organization.
Moderate capability indicates the knowledge and
skills to mount attack, but some resources are lacking.
Or, knowledge is lacking, but sufficient resources to
mount an attack on a given information asset of the
organization does exist.
High capability indicates possession of knowledge, skills
and resources to mount an attack on an information
asset of the organization.
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
©2017 ISACA. All rights reserved. www.isaca.org
the threat agent’s technical ability, knowledge and
available material to exploit the vulnerability.
As with vulnerability measurement elements
(susceptibility and exposure), rating, capability
measurement. Figure 8 shows how to use
capability and impact for threat ratings.
The model for grading the severity of the threat
uses impact and capability of the threat, similar to
the severity of vulnerability matrix in figure 6 and
figure 7. The only difference is susceptibility and
exposure for vulnerabilities are replaced with impact
and capability for threat.
Risk Impact Measurement
Risk management is the act of determining
what threats the organization faces, analyzing
the vulnerabilities to assess the threat level and
determining how to deal with the risk.15 Security
risk management is a strategy of management to
reduce the possible risk from an unacceptable to an
acceptable level.16 There are four basic strategies
for managing risk: transference, acceptance,
avoidance and mitigation.17
Rating IMPACT
1 Exercise of the threat may result in the loss of some/
few assets or resources; may have little effect on the
organization’s business continuity, immaterial financial
loss, low legal impact and low impact on business
process.
2 Exercise of the threat may result in the loss of some
assets or resources; may have a moderate effect on
the organization’s business continuity, some material
financial loss, average business process impact and
perceptible legal impact.
3 Exercise of the vulnerability may result in the costly loss
of major assets or resources; may significantly violate,
harm, or impede an organization’s mission, reputation,
or interest; or may result in serious injury or catastrophic
impact.
ISACA JOURNAL VOL 3 6
Risk assessment requires individuals to take charge
of the risk management process. Risk assessment
is the determination of a quantitative or qualitative
estimate of risk related to a well-defined situation and
a recognized threat (also called a hazard). Quantitative
risk assessment requires calculations of two
components of risk: the magnitude of the potential
risk and the probability that the loss will occur.18
Risk Impact = Potential Risk * Probability
Probability or Likelihood of Risk
A likelihood assessment estimates the frequency of
a threat happening. With this type of assessment,
it is necessary to observe the circumstances that
will affect the probability of the risk occurring. The
likelihood can be expressed in terms of the frequency
of occurrence,19 which are depicted in figure 9.
Figure 9—Model for Probability or
Likelihood of Risk
Value Description of Probability
1 Never happened (has not happened in the past
three years)
2 Rare (happens once in year)
3 Periodic (happens once in a quarter)
4 Regular (takes place once in a fortnight)
5 Frequent (happens once in a week)
Source: Adapted from ISO 27001 implementers forum. Reprinted with
permission.
Based on the previously discussed risk analysis
concepts, risk mitigation options are acceptable,
tolerable and intolerable risk, the values of
which follow.
Figure 10—Examples for Potential Risk and Risk Impact
Vulnerability Threat
Total Asset Value Severity Value Severity Value
3 1 (VL) 1 (VL)
9 3 (M) 3 (M)
20 4 (H) 4 (H)
27 5 (VH) 5 (VH)
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
©2017 ISACA. All rights reserved. www.isaca.org
Acceptable risk has a risk impact value of less than
540, which is the product of the maximum asset
value (27), low vulnerability value (2), low threat
value (2) and the maximum frequency of likelihood
(5). The calculation, therefore, is 27*2*2*5=540.
Tolerable risk has a risk impact value ranging from
540 to 1,215, which is the product of the maximum
asset value (27), medium vulnerability value and
threat value (3 each), and the maximum frequency
of likelihood (5). The calculation is 27*3*3*5=1,215.
Intolerable risk has a risk impact value greater than
1,215, which means the risk beyond the tolerable
risk amount, 1,215.
Control Implementation
and Gap Analysis
A common mitigation for a technical security flaw is to
implement a patch provided by the vendor. Sometimes
the process of determining mitigation strategies is
called control analysis.21 Control mechanisms are used
to restrain, regulate or reduce vulnerabilities; they can
be corrective, detective or preventive.22 It is possible
to mitigate a risk by implementing different control
techniques, but before implementing a new control, the
assessor is responsible for identifying and measuring
the existing control and showing the gap from the
expected control of an asset.
Assumptions for control valuation include:
• CIA of information has a minimum valuation of 0.
• The value of levels of control implementation to
CIA are high (3), medium (2), low (1) and none (0)
figure 10.
Risk Impact
Potential Risk Probability Value
3*1*1=3 3 (Periodic) 3*3 = 9
9*3*3=81 4 (Regular) 81*4= 324
20*4*4=320 2 (Rare) 320*2 = 640
27*5*5=675 5 (Frequent) 675*5 = 3375
ISACA JOURNAL VOL 3 7
• The value of the control implementation is
determined by the sum of the three attributes.
Based on figure 10, a control matrix is presented in
figure 11.
Figure 11—Model for Rating CIA
Control Implementation
Rate Security Objective
Confidentiality (C)—Authorized disclosure of
information was experienced.
Integrity (I)—Authorized modification or
destruction of information was applicable.
Availability (A)—Access to or use of
information or an information system was
applicable.
None (0) CIA is not implemented for the company
asset, operation or individuals.
Low (1) CIA is limited or is at a low level of
implementation for the company asset,
operation or individuals.
Medium (2) CIA is at an intermediary level of
practicability for the company asset,
operation or individuals.
High (3) CIA is at a strong level of achievability for the
company asset, operation or individuals.
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.
Figure 12 shows calculations for existing controls
and risk mitigation.
Adding controls to mitigate the risk impact first
requires identification of the existing control (the
total amount of control measured by adding the
value of CIA for each asset), then identification of
the possible control (the sum of a control value
of CIA derived by considering the maximum
technology applied to that specific asset and the
conditions to satisfy adoption of that additional
control).
The following formulas will calculate the “to be
controlled risk” and the “mitigated risk”:
To Be C = Maximum Possible Control –
Existing Control
Mitigated Risk = Risk Impact ÷ Existing Control
No organization can ever be 100 percent secure
or free of risk. There will always be remaining,
or residual, risk. In the first example shown in
figure 13, the possible control is equal to the
existing control (which is high for CIA). Therefore,
the remaining risk, 375, is residual, not mitigated
further because it already represents the maximum
possible control. As per the risk analysis concepts
described in this article, the 375 risk is acceptable
because it is less than the maximum acceptable
risk level of 540.
Conclusion
Managing the risk and valuation of an organization’s
valuable IT assets is the first and critical stage of
information security planning and security control
implementation. Objectively measuring concepts
like vulnerability, threat, risk impact, mitigated risk

Figure 12—Control Valuation Matrix

CONTROL Integrity
CIA MATRIX
None Low Medium High
Confidentiality N L M H N L M H N L M H N L M H
N 0 1 2 3 1 2 3 4 2 3 4 5 3 4 5 6
L 1 2 3 4 2 3 4 5 3 4 5 6 4 5 6 7
Availability

M 2 3 4 5 3 4 5 6 4 5 6 7 5 6 7 8
H 3 4 5 6 4 5 6 7 5 6 7 8 6 7 8 9
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.

ISACA JOURNAL VOL 3 8

©2017 ISACA. All rights reserved. www.isaca.org
 Figure 13—Examples of Control Implementation
Currently Implemented Control on
The Existing
Risk Impact Confidentiality Integrity Availability Control Is Risk Mitigated to
3,375 3 (High) 3 (High) 3 (High) 9 3,375 9 = 375
540 2 (Medium) 2 (Medium) 2 (Medium) 6 540 6 = 90
2,415 0 (None) 2 (Medium) 1 (Low) 3 1,215 3 = 805
3,065 1 (Low) 1 (Low) 2 (Medium) 4 3,065 4 = 766
Source: Shemlse Gebremedhin Kassa. Reprinted with permission.

and implemented control of an asset is relatively the
most difficult task in the process, because of a lack
of uniformity on subjective judgments during the
rating selection (high, low, medium) and the quality
and accuracy of the results are highly dependent on
the assessors’ professional experience. The models
described in this article can minimize error and
introduce uniformity of activities and process results
carried out by different individuals/organizations.
Generally, information security risk management/
evaluation is still a very complex field of research,
with a lot of unexplored areas. More research is
needed to explore essentials. This research work
can be based on the model proposed in this
article and perhaps could be focused on creating
mechanical or robotic techniques to implement
quantitative measurement, thus avoiding subjective
judgments of high, low or medium.
Endnotes
1 Foroughi, F., “Information Asset Valuation
Method for Information Technology Security
Risk Assessment,” Proceedings of the World
Congress on Engineering 2008, vol. I,
www.iaeng.org/publication/WCE2008/
WCE2008_pp576-581.pdf
2 Shemlse, G. K.; “Information Systems
Security Audit: Ontological Framework,”
ISACA® Journal Practically Speaking blog, 26
September 2016, www.isaca.org/Journal/Blog/
Lists/Posts/Post.aspx?ID=333
3 Caralli, R., et al.; “Introducing OCTAVE
Allegro: Improving the Information Security
Risk Assessment Process,” Carnegie Mellon
University, USA, May 2007, www.sei.cmu.edu/
reports/07tr012.pdf
4 Caralli, R. A.; J. F. Stevens; L. R. Young; W.
R. Wilson; “Introducing OCTAVE Allegro:
Improving the Information Security Risk
Assessment Process,” May 2007,
www.sei.cmu.edu/reports/07tr012.pdf
5 Olivia, “Difference Between Information
System Audit and Information Security Audit,”
DifferenceBetween.com, 16 April 2011, www.
differencebetween.com/difference-between-
information-system-audit-and-vs-information-
security-audit/
6  Op cit, Foroughi
7 Kamat, M.; ISO27k Implementers’ Forum,
“Matrices for Asset Valuation and Risk
Analysis,” 2009, http://190.90.112.209/
estandares/ISO27k-Matrices-for-Asset-
Valuation-and-Risk-Analysis.pdf
8  Op cit, Foroughi
9 Ibid.
10 Village of Briarcliff Manor, Disaster Mitigation
Act 2000 Hazard Mitigation Plan, New York,
USA, July 2007, p. 5–9, www.briarcliffmanor.
org/pages/BriarcliffManorNY_Trustees/HMP/
Section%205.3%20Hazard%20Ranking%20
-%20Final.pdf
11 National Information Assurance Training
and Education Center, NIATEC Glossary,
USA, http://niatec.info/Glossary.
aspx?term=6344&alpha=V
12  Op cit, Shemlse
13 Kiyuna, A.; L. Conyers; Cyberwarfare Source
Book, Lulu.com, 14 April 2015, p. 42
14 Elky, S.; “An Introduction to Information
System Risk Management,” SANS Institute
InfoSec Reading Room, 31 May 2006,
www.sans.org/reading_room/whitepapers/
auditing/introduction-information-system-risk-
management_1204
15 Gregg, M.; CISSP Exam Cram 2, Pearson IT
Certification, USA, 2005
16  Op cit, Elky
17 Ibid.
18 RFC 4949, Internet Security Glossary, Version
2, August 2007, https://tools.ietf.org/html/
rfc4949
19  Op cit, Kamat
20 Ibid.
21 Op cit, Gregg
22 Ibid.

ISACA JOURNAL VOL 3 9

©2017 ISACA. All rights reserved. www.isaca.org