Hi all,

I'm an ICT specialist geared towards networking, however for a new project I went out of my comfort zone and went to design a complete Information Security Management System. In scope of that, I found a simple risk assessment method created by Goel&Chen. This method uses 3 matrices and 3 summation formulas to get a value assigned to each risk/threat. I checked on the formula and found an explanation on how the summation works and so on. My problem is, that with the given information in their document, I fail to understand exactly which parameters to place where. This is the extract out of their document that I need help on:

"The methodology proposed in the paper uses three separate matrices, i.e. vulnerability matrix, threat matrix and control matrix to collect the data that is required for risk analysis. The vulnerability matrix (Table 1) contains the associations between the assets and vulnerabilities in the organization, the threat matrix (Table 2) similarly contains the relationships between the vulnerabilities and threats, and the control matrix (Table 3) contains the links between the threats and controls. Each cell in a table contains the value of the relationship between the row and the column element of the table (e.g. asset and vulnerability). It uses one of the three values, i.e. low, medium or high.

3

When the risk analysis is initially conducted, lists of assets, vulnerabilities, threats, and controls are generated and added to the respective tables. The matrices are then populated by adding data that correlates the row of the matrix with the column of the matrix. Finally, the data from the vulnerability matrix is aggregated using Equation 1 and then cascaded on to Table 2. Similarly, data in the threat matrix is aggregated using equation 2 and cascaded on to Table 3. The data from the Control matrix is then aggregated to obtain the relative importance of the different controls.

Let us assume that there are

*m* assets where the relative cost of asset

*aj* is

*Cj (j = 1,…, n)*. Also let

*cij* be the impact of vulnerability

*vi* on asset

*aj*. Then the relative cumulative impact of vulnerability

*vi *on the assets of the organizations is:

_{j=n} __V___{i}=

Σv

_{ij }*C

_{j} ^{j=1}
"

The table has been filled in with fictive values.

I'm a bit confused by the the subscript parameters, not sure of what to fill in. Could anyone help me with this?