5.21 Risk Analysis

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

9 hours 48 minutes
Video Transcription
all right. Risk analysis. So, like I said, let's jump back and look at the risk register and we see the next two fields. Likelihood. An impact. That's where you get. That's what we're looking for from risk analysis. Now I can get qualitative
risk analysis or I could get quantitative risk analysis.
But ultimately, both types focus in on how likely is the event that happen. And if it does, what's its severity? Okay, so when I look at risk analysis, what we want to do is determine the value, the potential for loss, because that will drive or justify our response
again. I'm not going to spend If I stand to lose 100 I'm not going to spend 500 to prevent that,
right? So we want to make a good cost effective decision. We want a return on investment for the controls that we implement. So we really have to understand what is that potential for loss. So if we do a qualitative analysis
and you could hear the term Delphi technique associated with qualitative analysis
because with qualitative analysis, what we're really doing is we're likely asking your team members what do you guys think How likely is it toe happen?
Okay, it's pretty likely to happen. Will make that high likelihood. What's the impact? Not so much will make that low impact right is a very subjective process. And the Delphi techniques simply says we're gonna collect that information and allow our people to contribute anonymously.
If you've ever gotten a survey for class or those anonymous surveys,
that's technically the Delphi technique because we understand people are more likely to be honest if they don't have their name attached to their comments, right? So Delphi's technique is a lot of times used with qualitative analysis. Now, qualitative analysis
helps me kind of figure out Okay, these are the top priority, these air, low priority, these air mid priority.
But the problem with qualitative is it doesn't give us the ability to put a dollar amount on a particular risk, right? So qualitative helps me prioritize. But if I want to know, okay, I'll spend $50 gnome or or $50,000 no more to mitigate this risk. I need quantitative.
Quantitative is objective. It's fact based were using empirical data. I want a dollar value doesn't always have to be a dollar value, but it usually is. So you can imagine the pros and cons of each qualitative is quick.
it is based. You know the problem, though. It's quick, it's cheap, right? You know those benefits. The problem is, we only know what we know.
If I don't have a diverse group of team members that I'm gonna have a very skewed, qualitative analysis. And even if I do have a diverse group of of risk analysts, we still are gonna find that it doesn't give us enough data to be confident in a business decision.
So we want to take that a step further and use quantitative analysis.
So again, qualitative analysis being subjective, being quick, it's cheap.
Often we kind of map out the qualitative analysis on the heat chart. Or in this case, we have a probability and impact matrix that you can just say, Okay, it looks like this first activity is ah, hi severity and a high impact. So that's a high priority risk of them.
How much money do I spend to mitigate that risk? I don't know, right, because I don't have that information. If I go through into a qualitative analysis, though that's where I get the dollars out.
So we're talking about the dollar value. We're using empirical battle, right? We're using backs based methodology. And you know what? This happens, you know, three times a year.
Every time it happens, it tells me $3000 less than $9000 annual loss.
Well, if that's true, my *** make sense to spend $5000 to mitigate. That's the type of work that we're doing with quantitative analysis. I want the numbers because numbers will justify my expense.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By