# Examples of Risk Analysis Techniques

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Sign up with

Required fields are marked with an *

or

Already have an account? Sign In »

Time

14 hours 39 minutes

Difficulty

Intermediate

CEU/CPE

13

Video Transcription

00:03

so it just kind of introduced you to the ideas of

00:07

different types of risk assessments. Now, I just wanted to give you a few examples of how these will look.

00:13

So when we look at this this qualitative risk assessment

00:17

Now I know it has numbers. 1234512345 So you could really make the argument that this is a semi qualitative or semi quantitative,

00:27

But really, what we're getting at is thes ideas of very low, low, medium high.

00:32

So if I look at the way, you know, I personally call this a probability and impact matrix. You may see likelihood and severity, so likelihood and probability mean the same thing. Severity and impact or even consequence would be the same thing.

00:49

So ultimately, what we're getting here is this idea of prioritization of risk. We're getting a risk

00:57

ranking.

00:58

So, for instance, if we were to look at these risks in red, for instance, those would be risks that have a very high probability, very high impact

01:07

these air risks, we can't leave alone, right? We've gotta actively mitigate so, you know, for those types of risks, I'm thinking we need risk reduction.

01:18

All right, when we get into the orange area, we may continue to reduce those risks.

01:23

Uh,

01:25

we may transfer the risks and yellow. We may accept the risks. Injury in green. You know, these are just sort of ways of prioritizing were starting to think about our risk responses. We don't have anything written in stone yet,

01:40

but we're starting to think about what these types of assessments are going to meet

01:45

now. When we want

01:47

the numeric value,

01:49

give me the facts, give me the dollar value. And that's really helpful because if you tell me my potential for losses, $10,000 will. Maybe I won't hedge so much. It's spending $500 to mitigate that loss, right? So really, when you're talking to senior management in the buck stops here, talk about the book

02:07

and tell them you know, in dollar value, here's the return on investment.

02:13

You can't do that with everything,

02:15

but when you could get a quantitative analysis, that's bad.

02:19

All right, so some terms asset value.

02:23

That's where we always start.

02:24

And then we talk about ideas like probability and impact.

02:29

Impact is usually expressed as exposure.

02:32

That's the percentage of loss,

02:36

the asset should this risk event materialize,

02:38

and that's hard to come up with, Right? This goes back to that idea that there's

02:43

always gonna be a little bit of a subjective

02:46

aspect, even to quantitative analysis, Right? We usually associate subjective with qualitative.

02:53

But you know, when you're trying to say in the event of a fire, I'm gonna lose 73% of my warehouse

03:00

here,

03:00

right?

03:01

You can get the best you can, but you can't be 100% sure of that.

03:06

All right. And then, if you jump down to annual rate of occurrence, that's probability.

03:12

How many times per year does this risk event happen?

03:15

So if you take the

03:17

value of the asset times the exposure

03:22

okay, $300,000 building, I'm gonna lose 20%.

03:27

Well, ultimately, that's gonna give me the single waltz expectancy.

03:32

Now, I don't want you to worry about these formulas If you've got a background in risk management,

03:37

If you have studied for the C. I S s P exam, you'll know these.

03:42

But the idea's probability times impact gives me lost.

03:46

Right? So, um,

03:49

when we're talking about these ideas, these air the formulas were looking to come up with.

03:53

And ultimately what we'd like to do is to get an annual loss expectancy and figure out well

04:00

how potential for loss per year. What am I spending per year on these risk events that materialize? And that way we're going to take it and compare it to the cost of the countermeasure.

04:13

Now, in the cost of the countermeasure, we always have to realize that that's,

04:16

uh,

04:17

with many controls. You're not just paying a front right. They often have recurring expenses like any virus software, you have to pay for nearly updates. So I think what it'll cost of ownership and then you want a positive return on our investment.

04:33

Here's how much

04:35

come on safe.

04:38

And then here's just a little example of a semi quantitative risk analysis.

04:44

So again, they're kind of assigning numeric values, but we're still

04:48

level,

04:49

right? So we say Hi.

04:53

Um, you know, again, we're dressing,

04:56

probably

04:57

probability and impact,

04:59

and one of the things your firm

05:01

way come down. We assess a risk is having a very

05:06

semi quantitative value probability comes in,

05:11

um, those tend to be

05:13

with

05:15

talk about was accepted to medication risks,

05:20

You know, if it costs too much.

05:23

Gator Rennes.

05:26

Now the problem with that

05:29

What if we underestimated the risk?

05:31

What if we didn't identify

05:33

a risk event? What if our mitigation strategies don't work?

05:38

What if we underestimate that

05:43

we have one of those risks that we accepted

05:46

happening

05:47

very big impact on my company.

05:50

What? I'm asking

05:51

what happens when

05:57

with our mitigation

06:00

based all

06:00

whether we can qualitative quantitative for semi quantitative,

06:04

That's gonna justify our risk response

06:10

my

06:11

better way. Maybe if wording that question is

06:15

what keeps your company going

06:17

when risk,

06:18

Say

06:21

what keeps your company going when risk management fails

06:25

and that

06:27

cliffhanger

06:28

for the next set.

Up Next

Instructed By

Similar Content