6 hours 30 minutes
So let's go ahead and talk a little bit about the tools and techniques we're gonna use for risk assessment.
These tools can either be communication tools or tools that I used to collect and gather information or ways that I communicate to my team. Perhaps what the grand state of affairs is. So we've got several of these tools. Let's start off by looking at the bow tree analysis.
Then we're gonna start the bowtie analysis.
Then we're gonna talk about the decision. Tree analysis calls an effect diagram the B I A. Which is a document we should always be familiar with business impact analysis. Then we'll look a SWAT and we'll look at the BCG matrix. Okay, so starting out with the bow tie analysis,
what we're going to examine and this can kind of come into play with risk scenarios that we've talked about earlier
is we can, you know, determine what the threat is. You know, where is our area that we're concerned about? Where does that threat meet? The vulnerability.
So here we see in the centers are risk or hazard data corruption.
Well, over on the left, we're gonna talk about causes what are the things that could call static corruption,
malicious insider, accidental compromise. External user. We might have, um, unreliable links there. There lots of reasons that data can become corrupted. Right. So those are the causes
now to the left. What are some ways that we can mitigate those potential causes? So never firewall anti virus software and a malware. We can have better hiring practices for malicious internal users. Right? We could go on and on, unknown with the controls. So we have calls mitigating strategy
and then on the right side. So what if it does happen? What are some reactive strategies or some recovery measures that we can use? And then ultimately, what with the concept or the consequences of the laws overall, be
so this is just a good way, you know, we would brainstorm with our team and try to complete this. Now, as we step back, we think. Okay, so number one risk perhaps his corruption here, the ways that data could become corrupt here, the things we can do to mitigate that.
Ah, but if it does happen, we've got some strategies to recover from it. That's a very helpful tool.
When you're looking at risk mitigation strategies and figuring out what's gonna be best based on your assessment of the risk
decision tree analysis. So what decision tree analysis does is it's gonna give us the expected monetary value of the risk,
right? So I want to know what is my potential for Los? What's my potential for gain? Because don't forget that some environments consider both positive and negative aspects for risk, and I think you'll see that on this exam as well. So a negative risk is a threat. The positive risk is an opportunity.
So I have a little scenario here in front of us
where we have three possible choices. And so just to kind of give you an overview of this scenario, I'm looking to outsource software development project, and I've gotten bids from three different cos I've used in the past.
Ah, company, a company being Company C
and I could refer to them as the vendors as well. So vendor a gave me a bit of $100,000. That sounds pretty good.
Then you're be came in at 1 25 and then there's see at 1 35 you know they've given me the highest bid. Usually we go with the lowest bid.
But because I know you can't just make decisions on initial bid, we have to go back. We have to think about risk and quality and all those other issues.
So I'm gonna take risk into account before I make my descent. My vendor choice.
Okay, so I've worked with vendor A in the past. Okay, Vendor A has been late 70% of the time. That's a lot.
And that costs me. Or that's cost me in the past $80,000. So you can think of that as a 70% chance I'm gonna lose $80,000.
in the past, also, they've been early with their work some to 30% of the time.
And when they're early, it's gained me $15,000.
So what I look at is that potential for gain. I have 30 a new opportunity,
30% opportunity to gain 15,000.
So I take the, um, the two and add them together. Okay, so 70% of 80 thousands, 56,000
30% of a gain of 15,000. And that's kind of weird, because usually when we see these in parentheses, we think of negatives, but because we're talking about money, expenditures, money that's going out.
So basically, what this is gonna indicate is I'm gonna be paying vendor a $100,000.
Plus, there's a likelihood of 56,000
and a 45 100 opportunity. So when I add those together, the expected monetary value of the risk is 51 500. I've gotta add that. So what? I can assume I'm gonna wind up paying with Fender A is gonna be 100 and 51,000
50 Let's say 100 and $51,500.
So now all of a sudden, that low bid at a doesn't sound so great.
So let's do be
I've worked with be in the past 50% chance they'll be late at a cost of 70,000. So 50% of the $70,000 risks 35,000.
It's also 50% chance they could come in early, saving me 18,000.
So I have the chance to gain 9000. So, in addition to their initial bid,
I've got the potential for loss of 35,000. I've got the potential opportunity for gain of 9000.
So I've got vendor be
There are initial $125,000 bid, but I need to add 26,000 to that to take in account of risk.
So in this scenario, if I ask you what is the e. M. V. All I want with that is thea amount of risk.
What's the E. M v for vendor be $26,000?
What would the total cost of the contract be
So the M V is just the risk value. The cost of the contract is taking the risk and the contract value together.
All right, then we've got C 20% chance there late Cost me 25,000.
Um, but there's an 8% 80% They'll be early saving me $5600. So when you had those together, I actually have an opportunity to gain $600 When I do go with vendor see.
So even though vendor see initially bid the highest,
that tells me that I'm likely to pay out $134,400 for vendor see
they're the best choice, even though they bid the highest. And that's why risk management's really important to understand. You can also see on this decision tree analysis why it's so important to determine what positive risk and negative risk. Because if all we do is look at the negatives
than our estimates are gonna be skewed,
right? Really, We have to think about risk in terms off an unknown element that will influence your project or your endeavor,
so that way we get a more balanced approach.
ISACA Certified in Risk and Information Systems Control (CRISC)
Demonstrate your expertise in identifying and managing IT risk within an enterprise and in implementing ...
IoT Product Security
This course will focus on the fundamentals of how to set up a functioning IoT ...
8 CEU/CPE Hours Available
Certificate of Completion Offered