Ranking Critical Assets

 

Your budget is not limitless. Neither are other resources. You need to determine the best use of your limited resources to ensure the survivability of your enterprise.”

Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University

The finite nature of security resources mandates prioritizing the deployment of security measures. That means a security analysis should concentrate on the few assets that are most critical to the business.

Which are they? Making that determination is not just Security’s task. It requires the expertise of the corporate personnel who utilize and depend upon those assets. It involves knowledge outside of security’s domain.

Group Consensus

This means that security practitioners must enlist the aid of a group, committee, team or panel to help identify and prioritize the most critical assets and business processes. What makes assets critical is the severity of the impact on the business if use of the asset were lost.

Using a simple application of Pairwise Comparison, you can help the group perform a rudimentary business impact analysis, in a methodical way results in group consensus for the for the team’s findings. The pairwise comparison technique leverages the universal human ability to compare single properties of alternatives. In plain words, it’s easy because we already know how to choose between two things. We do it all the time.

In a pairwise comparison a whole list of items is ranked by comparing only items two at a time, and assigning a numerical rating to the comparison. Adding up the ratings produces a score for each item. Some items score higher than others; the numbers document the ranking.

What follows is a description of the critical asset ranking process using pairwise comparisons.

Activity: Critical Asset Identification and Ranking

Purpose: To determine the most critical assets of the business, and rank them in terms of the severity of the loss of use of the asset.

Steps:

  1. Start with a list of candidates for being a “critical asset”.
  2. Identify the “worst-case loss event” for each asset-the event that would have the worst impact on the organization. Write down a description of the event.
  3. Rate the assets according to the severity of the impact of the worst-case loss event on the business, comparing each asset category against every other asset, two at a time. Make a chart with rows and columns for each asset. Write the comparison rating in the comparison chart (see the example chart in Figure 1 below). Use the following rating scheme:
    Rating Description
    3
    More critical
    2
    Equally critical
    1
    Less critical

     

  4. Add up the values in each row and write the total for each asset category in the Total column.
  5. The assets with the highest scores are the most critical assets, according to your assessment team.

This activity does not require that each team member be highly knowledgeable about each asset. As long as there is at least one person who can explain satisfactorily to the rest of the group why the loss of one of two assets would have the greater or equal negative impact on the business, the group can reach a consensus about the asset pair. One by one each asset pair can be addressed and rated.

Figure 1. The pairwise comparison chart.

The above example is the very simplest use of the pairwise comparison tool. It requires only a brief introduction for the participants in asset ranking exercises. Where a more expanded rating scale seems appropriate, the following 1-to-5 scale also works well:

Rating Description
5
Significantly more critical
4
Somewhat more critical
3
Equally critical
2
Somewhat less critical
1
Significantly less critical

Because a relative scale of measurement can be used, a pairwise comparison approach for critical asset ranking significantly reduces the time to obtain consensus. It helps to ensure that time spent on more detailed analyses is well spent by focusing on the critical assets. Usually there is an added bonus in that the protective measures selected for the critical assets often also apply to less critical assets, or can be easily extended to cover more assets at an incremental cost.

Advanced Uses of Pairwise Comparison

There are also advanced applications of the pairwise comparison tool, developed for complex decision making processes. (What car to buy is an example of a decision involving complex factors.) One such widely-accepted decision-making process is the Analytic Hierarchy Process (AHP), a mathematical decision making technique that allows consideration of both qualitative and quantitative aspects of decisions. It reduces complex decisions to a series of pairwise comparisons, then synthesizes the results. It is often used in business risk management. The divide-and-conquer approach of AHP using pairwise comparisons not only helps decision makers more quickly and easily choose the best alternative, but also provides a clear rationale for the choice. There are books, college courses and many web references relating to AHP. (Be aware that most of the web references about AHP and pairwise comparison in general move quickly into mathematical formulas to illustrate their points.)

Fortunately such advanced techniques are not necessary for the simpler task of identifying and ranking an organization’s critical assets.

Do you have a critical assets catalog for your organization? If not, the pairwise comparison tool can help you develop one more quickly.

Best regards,

Ray Bernard

Leave a Reply

Your email address will not be published. Required fields are marked *