o l l from backup copies if available or from source documents and possibly the cost of delayed processing. Theft  of  information.   The   loss   potential because of theft is difficult to quantify. Although the command itself would sustain no direct loss, it clearly would have failed in its mission. In some cases, information itself may have market value.  For  example,  a  proprietary  software package or a name list can be sold. Indirect theft of assets.  If the AIS is used to control  other  assets,  such  as  cash,  items  in inventory, or authorization for performance of services, then it may also be used to steal such assets. The loss potential would be the value of such  assets  that  might  be  stolen  before  the magnitude of the loss is large enough to assure detection. Delayed processing.  Every application has some time constraint, and failure to complete it on time causes a loss. In some cases the loss potential may not be as obvious as, for example, a delay in issuing military paychecks. To   calculate   the   loss   potential   for   physical destruction or theft of tangible assets, AIS technical managers and upper management should construct a table of replacement costs for the physical assets of the AIS facility. The physical assets usually include the building itself and all its contents. This tabulation, broken down by specific areas, helps to identify areas needing  special  attention.  While  the  contents  of  the typical office area may be valued at $100 to $500 per square foot, it is not unusual to find the contents of a computer  room  are  worth  $5,000 to  $10,000  per  square foot.  The  estimate  is  also  helpful  in  planning  for recovery in the event of a disaster. The remaining four loss potential types listed are dependent on the characteristics of the individual data processing tasks performed by the AIS facility. AIS technical managers should review each task to establish which losses a facility is exposed to and which factors affect the size of the potential loss. Call on users to help make these estimates. To make the best use of time, do a rapid, preliminary screening to identify the tasks that appear to have significant  loss  potential.  An  example  of  preliminary estimates is shown in table 4-1. Having made a preliminary screening to identify the critical tasks, seek to quantify loss potential more precisely with the help of user representatives familiar with  the  critical  tasks  and  their  impact  on  other activities. Mishaps and losses that could occur should be considered, on the assumption that if something can go wrong, it will. The fact that a given task has never been tampered with, used for an embezzlement, or changed to mislead management in the command is no assurance that it never will be. At this stage of the risk analysis, all levels of management should assume the worst. Threat  Analysis The second step of the risk analysis is to evaluate the threats to the AIS facility. Threats and the factors that influence their relative importance were listed earlier in this chapter. Details of the more common threats are discussed later in this chapter and, to the extent  it  is  available,  general  information  about  the probability of occurrence is given. Use these data and higher  authority  instructions/manuals  and  apply common sense to develop estimates of the probability of occurrence for each type of threat. Table  4-1.—Example  of  Preliminary  Estimates  of  Loss  Potential 4-15