Time
5 hours 49 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello, everybody. And welcome to the agency security episode number 18
00:05
I A t Risk.
00:07
My name is will 100 Gina, and I'll be your instructor for today's session.
00:12
Learning objectives of this module is to understand how to measure risk in a qualitative and quantitative way and make decisions over the results.
00:25
Well, basically, uh, let's start, you know, from the beginning,
00:30
risk is the result of two important measures which will be the impact
00:39
and
00:40
thes impact is reduced to how much he will hurt you in terms off money and in I o t. In terms of
00:50
sometimes lives. Uh, you know how it will hurt you too? If you're smart, What? She explodes,
00:57
You know, all that stuff. But, you know, let's say that this is, uh can be measured in both or in one way, uh, which includes money and the other includes little lives,
01:10
thistles. They came back. I mean, how much it will hurt your company are just, You know, in this case, we're taking approach from scenes. We're talking about risk
01:19
approach from the business from the company. So how much you'll hurt your company in terms of money in terms of life,
01:26
uh, glasses, you know, lawsuits and all that stuff.
01:30
And, uh, the other important going to measure risk that probably,
01:42
uh, when she's basically how likely is that the hacker exploits your devices? How likely is that? They performed a denial of service attack. How likely is that? They still the data they perform, you know, some jamming to two again. And the denial of service real,
02:01
you know, the like flute are the probability of this happening. So the result of this, too,
02:08
it will give us the risk.
02:14
So, uh,
02:15
uh, we have to waste measure this qualitative and quantitative. Qualitative is when the information owners, I mean in the donor of the server there, over there, off the information itself.
02:29
Ah has meetings with the information security consultant.
02:35
And they say you know what? The servers there is located right here.
02:40
Uh, for example, we have
02:44
Let's say this isn't a smart watch, guys, sir, about the drawings. But this is communicating to a cell phone,
02:52
and in turn, the cell phone's communicating to a server which is located in the cloud
02:59
right here.
03:00
Okay, So we we have meetings with the information owner or you know the person in charge off the server right here
03:10
and we ask him, Okay, what will be the impact will behind will be medium well below. Um, this person tell us that if someone hacks into this server, it could no harm directly to the end user,
03:28
so they feel that the impact will be high. So
03:31
say okay, we'll give it a scar from Syria to 10. Okay, Score of 10. And the probability It's also hikers, for some reason and on a white. But for some reason, this is exposed that directly to the Internet, there's no fireable in the middle. There's no no other con a measure that we can count out. So probably
03:51
again. Measure from wanted
03:53
from 0 to 10 is 10. So we can say that you can We can multiply this. Remember, this is qualitative. So if you're more comfortable
04:03
just adding the numbers are multiplying them. Now, whatever works for you, you can also use these in terms off work works. Hi, this is Hi, this is meet him. This is low and that that's that's perfectly fine, because we're not dealing with numbers just yet
04:19
and this gives us Ah from wrist off hundreds.
04:25
Right. So this is specifically scenario that we describe right here
04:30
we can start doing some,
04:33
uh,
04:35
analysis over, you know, is that impact
04:43
and this is the probability.
04:46
And we can say that synthesis 10. And this is Stan. This is located right here.
04:54
And we have other scenarios where they impact might be lowered or the probability might be lower. For example, another scenario, they will be the same 10. But the probably probabilities to cause the server is inside an internet.
05:08
And he has a fireable in between and also has information on I ps.
05:15
I am in our deal p an artist solution that you can think of. So right here the risk will be on the train. We can consider this tree allow risk which will be looking.
05:28
We're here and we may have another scenario Where all of this
05:32
it's Intel. Is that the probability that dress will be 50 or 60? I don't know. And it will be right here.
05:41
So as you can see, we can start creating a graphic well tells stencils a ll the important risk them to to to
05:50
we can we need to mitigate
05:53
Now, the problem is that
05:55
this is all qualitative. Quantitative, um, is where the numbers comes in. It is not the easiest way to start a risk assessment with in a quantitative. I'm not disappointed. Head of analysis, because we don't have numbers. We don't have any records from previous years.
06:12
We don't have anything that can actually tells us. Okay, this time he's actually them.
06:16
Uh, this I don't know. This number is actually something that represents something to you.
06:21
There's not basic formula, which is, um,
06:25
the single last expectancy
06:28
equals the price of the asset. For example,
06:34
we can say ask price you can given name and the probability of this occurrence of this occurring,
06:43
um, for the probability.
06:46
So there was this will give us that the single life is spent, its expectancy. And then we have that a l. A. Which is the analyzed last expectancy, which will be the single last expectancy. Ah, uh uh.
07:01
Multiplied by the analyzed
07:03
rate of occurrence.
07:06
And this is, you know, basic formula you can use to start. Come, Burton,
07:11
you're quantity. Qualitative analysis into quantitative announced. So these will give you some numbers to two, actually,
07:19
uh, you know, be part of this. So, uh,
07:24
this is
07:25
now that we have, you know that both the impact it's located right here
07:30
how much will lose, for example will loose
07:32
10 bucks
07:34
in this example And the probability is high too, so the risk will behind the risks. Let's say that is right here.
07:42
So now it doesn't make sense to put a condom mention in place that it's worth
07:47
50 bucks
07:50
because at the end, if a day but will be only 10 bucks, which is right here,
07:56
what's the point of investing? Are expending 50 bucks and a solution. It doesn't make sense. So this is a word that terms like return of investment
08:07
cast. Banfield's benefits analysis comes into play
08:11
whenever we're trying to choose a solution on the card I measured Thio coyote infrastructure. We have to take into consideration all of these terms.
08:20
Uh, there's a great tool which is, you know, fairly new. Just called X analytics. They will
08:30
actually measure your cyber exposure risk.
08:33
It will give you OK, It is You're with the kind of measures you already have in place for for your infrastructure. In this case, I am t
08:41
you're likely to lose this amount of money so you can make
08:46
decisions over disillusioned. You can't be, can choose.
08:52
What? Those s Lightnin? Well, it means single lust expectancy. And is that value you respect to lose over a single you know, device or a single occurrence?
09:03
How do you mess? Measured A l e. I will analyze. Last expectancy is measured by mount multiplying the single US expectancy
09:13
by the analyzed rate of occurrence.
09:18
Where are the two most common ways to reduce risk? Well, do either reduce the impact,
09:24
uh, reduce the lights like or the probability?
09:28
Uh, the impact is really kind of difficult to reduce because at the end, the server, you can put all the condom measures in from off the server or the device. But you know the impact if someone exploits that that device is the same. And do their lose money. You're Look, you're losing lives,
09:48
you know, so that the most common way I say it is the probably reduce the probability
09:54
into their in. Today's brief lecture would talk about a terrorist with this because it discussed both the qualitative and quantitative way of measuring risk.
10:05
Ah, materials I will recommend it. T to take to take a look at is the ex analytics platform and application
10:13
They specialize in measuring cyber Riggs Cyber risk exposure.
10:22
In the next video, we'll be covering, Iet Economy measures. Well, that's it for today, folks, I hope in your the video and talk to you soon.

Up Next

IoT Security

The IoT Security training course is designed to help IT professionals strengthen their knowledge about the Internet of Things (IoT) and the security platforms related to it. You’ll also be able to identify the security, privacy and safety concerns related to the implementation of an IoT infrastructure.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor