Calabrese’s Razor Hal Pomeranz has posted an objective metric used by the Center for Internet Security for hardening operating systems. The metric accounts for how well a control mitigates risk, subtracting the resulting costs or business impact of the control.   Impact (I)   Radius (R)   Effectiveness (E)   Administrative Impact (A)   Frequency of Impact (F)   The metric calculation is (I * R * E) - (A* F). Hal credits Chris Calabrese as the person most responsible for finding a solution to the metric. Accordingly, Hal has named the metric Calabrese’s Razor in Chris’ memory. For details of the rationale behind each metric component, instructions to apply Calabrese’s Razor and score interpretations, refer to Hal's post. Failure Mode and Effects Analysis also uses scenarios, multiplying component scores to arrive at a metric.   Risk Priority Number = Severity x Occurrence x Detection From an operational risk perspective, consider using a blend of the two methodologies. Food for thought... Kind regards, Gideon Gideon T. Rasmussen CISSP, CISA, CISM, CIPP Charlotte, NC http://www.virtualcso.com http://www.infosecresources.com http://www.gideonrasmussen.com/rssfeed.xml http://groups.yahoo.com/group/gideons-infosec-list Posted: Sun Mar 15, 2009 10:10 pm INFOSEC List: