o
l
l
from backup copies if available or from source
documents and possibly the cost of delayed
processing.
Theft of information. The loss potential
because of theft is difficult to quantify. Although
the command itself would sustain no direct loss,
it clearly would have failed in its mission. In
some cases, information itself may have market
value. For example, a proprietary software
package or a name list can be sold.
Indirect theft of assets. If the AIS is used to
control other assets, such as cash, items in
inventory, or authorization for performance of
services, then it may also be used to steal such
assets. The loss potential would be the value of
such assets that might be stolen before the
magnitude of the loss is large enough to assure
detection.
Delayed processing. Every application has
some time constraint, and failure to complete it
on time causes a loss. In some cases the loss
potential may not be as obvious as, for example,
a delay in issuing military paychecks.
To calculate the loss potential for physical
destruction or theft of tangible assets, AIS technical
managers and upper management should construct a
table of replacement costs for the physical assets of the
AIS facility. The physical assets usually include the
building itself and all its contents. This tabulation,
broken down by specific areas, helps to identify areas
needing special attention. While the contents of the
typical office area may be valued at 0 to 0 per
square foot, it is not unusual to find the contents of a
computer room are worth ,000 to ,000 per square
foot. The estimate is also helpful in planning for
recovery in the event of a disaster.
The remaining four loss potential types listed are
dependent on the characteristics of the individual data
processing tasks performed by the AIS facility. AIS
technical managers should review each task to establish
which losses a facility is exposed to and which factors
affect the size of the potential loss. Call on users to help
make these estimates.
To make the best use of time, do a rapid, preliminary
screening to identify the tasks that appear to have
significant loss potential. An example of preliminary
estimates is shown in table 4-1.
Having made a preliminary screening to identify
the critical tasks, seek to quantify loss potential more
precisely with the help of user representatives familiar
with the critical tasks and their impact on other
activities. Mishaps and losses that could occur should
be considered, on the assumption that if something can
go wrong, it will. The fact that a given task has never
been tampered with, used for an embezzlement, or
changed to mislead management in the command is no
assurance that it never will be. At this stage of the risk
analysis, all levels of management should assume the
worst.
Threat Analysis
The second step of the risk analysis is to evaluate
the threats to the AIS facility. Threats and the factors
that influence their relative importance were listed
earlier in this chapter. Details of the more common
threats are discussed later in this chapter and, to the
extent it is available, general information about the
probability of occurrence is given. Use these data and
higher authority instructions/manuals and apply
common sense to develop estimates of the probability
of occurrence for each type of threat.
Table 4-1.—Example of Preliminary Estimates of Loss Potential
4-15
