How to assign assets dollar values and threats probabilities where there is little or no historical data?
As discussed in question 19, measuring the value of assets in monetary values is one of the most important issues in PTA calculative foundation. The probability that a threat will materialize is presented in PTA by the traditional ARO parameter (Annual Rate of Occurrence) which is actually (when no statistical/history data available) an estimation of how many times the analyst believes that the threat will become a real attack. So all in all, assigning dollar values and probabilities where there is little or no historical data is an educated guesswork. The good news are that the monetary values and the probabilities can be easily changed and the whole model is updated automatically to reflect the changes in risk levels and prioritized recommendations of mitigation plans. The analyst may establish the threat model and enter preliminary values of assets and probabilities and then refine them according to client’s stake-holders feedback (CFO, legal consultants). Moreover – monetary values
