Saturday, 22 December 2007

Time-based Analysis (TBA)

Time-based analysis is a quantitative analysis that uses only a small amount of qualitative measures. TBA is extremely effective in measuring the adequacy of a control. This is also useful in terms of fault preparation (Delphi Group, 2005).

TBA involves analysis of the systems to identify:

  • The preventative controls (P)
  • The detective controls (D)
  • And the reactive controls on the system (R)
TBA measures all things in terms of time. As long as the time to detect and react to an incident is less than the amount of time to prevent the fault risk is maintained at an acceptable level. Thus, the aim when implementing TBA is to maintain the following situation:

The detective controls (D) + the reactive controls on the system (R) are less then the Preventative controls (P), or:
  • D + R < [P]

And a measurable loss occurs when:

  • D + R > [P].
To analyse controls under a TBA, first assume that preventative controls fail then asked the questions:

  1. How long does it take for detective controls to be enacted?
  2. How long following detection, does it take for a response to be initiated?
The aims of a TBA based risk strategy include reducing both D & R. this can be achieved by improving the detective controls or improving the reactive controls. The TBA model assumes that all preventative controls will eventually fail given enough time (SANS, 2005).

In determining a target, the costs of the preventative, detective and reactive controls are taken into account to create a cost benefit analysis. TBA is one of the simpler quantitative methods of risk analysis and management that is available.


Anonymous said...

You have no idea how much this helped me. Was looking for the definition to add to my notes and this was perfect! Thanks!

Craig Wright said...

I am glad I have helped.