/// <summary> /// Calculate whether or not the protection should be implemented /// </summary> /// <remarks> /// Utlizes Hdan's Cost Benefit analysis /// /// Refer to CMU/SEI-2009-SR-017 /// Privacy Risk Assessment Case Studies in Support of SQUARE (Pg. 14) /// /// Considers Cost of disclosure against the likelihood of the disclosure and the damage /// </remarks> /// <param name="likelihood"></param> /// <param name="damage"></param> /// <param name="cost"></param> /// <returns></returns> private RiskLevel CalculateRiskLevel(RiskLevel likelihood, RiskLevel damage, int? cost) { Check.Require(likelihood != null, "likelihood is required."); Check.Require(damage != null, "damage is required."); Check.Require(cost.HasValue , "cost.HasValue is required."); Check.Require(cost >= 1 && cost <= 9 , "Cost must be between 1 and 9"); // calculate LD var likelihoodDamage = likelihood.PLikelihood*damage.Damage; string riskLevelId = string.Empty; // if C<LD then return high if (cost < likelihoodDamage) riskLevelId = RiskLevels.High; // if C>=LD then return low else riskLevelId = RiskLevels.Low; return Db.RiskLevels.Where(a => a.Id == riskLevelId).Single(); }
/// <summary> /// Calculates the final risk level of the entire Risk object /// </summary> /// <remarks> /// Calculation is defined in NIST specification paper in Section 3.7.1 /// Risk-Level Matrix Pg. 25 /// </remarks> /// <returns></returns> private RiskLevel CalculateRiskLevel(RiskLevel likelihood, RiskLevel magnitude) { var riskCalc = likelihood.SLikelihood*magnitude.Impact; var level = string.Empty; if (50 < riskCalc && riskCalc <= 100) { level = RiskLevels.High; } if (10 < riskCalc && riskCalc <= 50) { level = RiskLevels.Medium; } if (1 <= riskCalc && riskCalc <= 10) { level = RiskLevels.Low; } return Db.RiskLevels.Where(a => a.Id == level).SingleOrDefault(); }
private static void AddRiskLevels(SquareContext context) { var r1 = new RiskLevel() { Id = "H", Name = "High", SLikelihood = 1.0m, PLikelihood = 3, Impact = 100, Damage = 3, Order = 3, Color = "Red" }; var r2 = new RiskLevel() { Id = "L", Name = "Low", SLikelihood = 0.1m, PLikelihood = 1, Impact = 10, Damage = 1, Order = 1, Color = "Green" }; var r3 = new RiskLevel() { Id = "M", Name = "Medium", SLikelihood = 0.5m, PLikelihood = 2, Impact = 50, Damage = 2, Order = 2, Color = "Yellow" }; context.RiskLevels.Add(r1); context.RiskLevels.Add(r2); context.RiskLevels.Add(r3); }