CISM

Course
Time
8 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Transcription

00:03
so it just kind of introduced you to the ideas of
00:07
different types of risk assessments. Now, I just wanted to give you a few examples of how these will look.
00:13
So when we look at this this qualitative risk assessment
00:17
Now I know it has numbers. 1234512345 So you could really make the argument that this is a semi qualitative or semi quantitative,
00:27
But really, what we're getting at is thes ideas of very low, low, medium high.
00:32
So if I look at the way, you know, I personally call this a probability and impact matrix. You may see likelihood and severity, so likelihood and probability mean the same thing. Severity and impact or even consequence would be the same thing.
00:49
So ultimately, what we're getting here is this idea of prioritization of risk. We're getting a risk
00:57
ranking.
00:58
So, for instance, if we were to look at these risks in red, for instance, those would be risks that have a very high probability, very high impact
01:07
these air risks, we can't leave alone, right? We've gotta actively mitigate so, you know, for those types of risks, I'm thinking we need risk reduction.
01:18
All right, when we get into the orange area, we may continue to reduce those risks.
01:23
Uh,
01:25
we may transfer the risks and yellow. We may accept the risks. Injury in green. You know, these are just sort of ways of prioritizing were starting to think about our risk responses. We don't have anything written in stone yet,
01:40
but we're starting to think about what these types of assessments are going to meet
01:45
now. When we want
01:47
the numeric value,
01:49
give me the facts, give me the dollar value. And that's really helpful because if you tell me my potential for losses, $10,000 will. Maybe I won't hedge so much. It's spending $500 to mitigate that loss, right? So really, when you're talking to senior management in the buck stops here, talk about the book
02:07
and tell them you know, in dollar value, here's the return on investment.
02:13
You can't do that with everything,
02:15
but when you could get a quantitative analysis, that's bad.
02:19
All right, so some terms asset value.
02:23
That's where we always start.
02:24
And then we talk about ideas like probability and impact.
02:29
Impact is usually expressed as exposure.
02:32
That's the percentage of loss,
02:36
the asset should this risk event materialize,
02:38
and that's hard to come up with, Right? This goes back to that idea that there's
02:43
always gonna be a little bit of a subjective
02:46
aspect, even to quantitative analysis, Right? We usually associate subjective with qualitative.
02:53
But you know, when you're trying to say in the event of a fire, I'm gonna lose 73% of my warehouse
03:00
here,
03:00
right?
03:01
You can get the best you can, but you can't be 100% sure of that.
03:06
All right. And then, if you jump down to annual rate of occurrence, that's probability.
03:12
How many times per year does this risk event happen?
03:15
So if you take the
03:17
value of the asset times the exposure
03:22
okay, $300,000 building, I'm gonna lose 20%.
03:27
Well, ultimately, that's gonna give me the single waltz expectancy.
03:32
Now, I don't want you to worry about these formulas If you've got a background in risk management,
03:37
If you have studied for the C. I S s P exam, you'll know these.
03:42
But the idea's probability times impact gives me lost.
03:46
Right? So, um,
03:49
when we're talking about these ideas, these air the formulas were looking to come up with.
03:53
And ultimately what we'd like to do is to get an annual loss expectancy and figure out well
04:00
how potential for loss per year. What am I spending per year on these risk events that materialize? And that way we're going to take it and compare it to the cost of the countermeasure.
04:13
Now, in the cost of the countermeasure, we always have to realize that that's,
04:16
uh,
04:17
with many controls. You're not just paying a front right. They often have recurring expenses like any virus software, you have to pay for nearly updates. So I think what it'll cost of ownership and then you want a positive return on our investment.
04:33
Here's how much
04:35
come on safe.
04:38
And then here's just a little example of a semi quantitative risk analysis.
04:44
So again, they're kind of assigning numeric values, but we're still
04:48
level,
04:49
right? So we say Hi.
04:53
Um, you know, again, we're dressing,
04:56
probably
04:57
probability and impact,
04:59
and one of the things your firm
05:01
way come down. We assess a risk is having a very
05:06
semi quantitative value probability comes in,
05:11
um, those tend to be
05:13
with
05:15
talk about was accepted to medication risks,
05:20
You know, if it costs too much.
05:23
Gator Rennes.
05:26
Now the problem with that
05:29
What if we underestimated the risk?
05:31
What if we didn't identify
05:33
a risk event? What if our mitigation strategies don't work?
05:38
What if we underestimate that
05:43
we have one of those risks that we accepted
05:46
happening
05:47
very big impact on my company.
05:50
What? I'm asking
05:51
what happens when
05:57
with our mitigation
06:00
based all
06:00
whether we can qualitative quantitative for semi quantitative,
06:04
That's gonna justify our risk response
06:10
my
06:11
better way. Maybe if wording that question is
06:15
what keeps your company going
06:17
when risk,
06:18
Say
06:21
what keeps your company going when risk management fails
06:25
and that
06:27
cliffhanger
06:28
for the next set.

Up Next

CISM

Cybrary's Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor