CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers IT Risk Assessment which is the process used to identify and evaluate a risk event. Risk assessment is different from identification in that assessment focuses on determining and documenting the types of risks that can affect an organization, whereas assessment is a means of evaluating the risk and its potential affect. This lesson also discusses NIST 800-100 which is a standard for risk assessment. Finally, the lesson also discusses quantitative and qualitative analysis formulas and definitions.

Video Transcription

00:04
all right, so we finished up with Chapter two, which was risk identification. Now we're moving into risk assessment, and I know there's two terms are very, very comparable, and you'll hear them use sometimes interchangeably out in the field. Ah, and as a matter of fact, you can see risk assessments the process used to identify evaluate a risk event.
00:22
But let's go back. And actually, in just a minute, we'll talk about that a little bit more
00:27
and try to break out those differences between identification and assessment. All right, so we'll go through. That is part of the overview. Then we'll talk about some of the tools
00:36
techniques that we use is part of risk assessment. The big word I want you to focus on with this chapter is valuation. Give me a value for that risk of it. Don't just tell me what risk might happen. How likelihood is, how likely is it and how big of an impact will it have?
00:53
So well, then take a look at the current controls that we have in place and see if they're working. If they're not, what do we do about it? Do we implement new controls do we correct the existing controls
01:03
and make a decision there? And then ultimately, what we're working towards is a value of the risk event, both qualitative and quantitative, and we'll discuss the difference. Of course,
01:17
if we look at identification versus assessment, so identification, we're gonna list we are in new Marais Ting. We're making a list of the potential threats, that probability and impact. As a matter of fact, when we started the risk register that I showed you previously,
01:34
all we had done in Chapter one was just list out the risks
01:38
and gave them an I D number. But now what we're looking to do is try to get an idea of the impact in probability. You know, we keep saying those words, but that's what assessments all about. So again, maybe on a scale of 1 to 10 how likely is it to happen? Or is it low probability? High probability?
01:57
That's kind of qualitative analysis and qualitative analysis
02:01
is subjective. It's gut feeling, you know, it's it's Yeah, that's probably gonna happen,
02:07
but where we really want to get so that we could make our business decisions is quantitative analysis. You tell me there's a 30% chance that I'm gonna lose $10,000. Well, to me, that's a little over $3000 risk.
02:20
So ultimately with assessment, where I'm hoping to walk away with is a dollar value for the potential of loss, and that will drive me to make my decisions on mitigation.
02:30
Now, NIST Special Publication 800-100 has what their approach to risk assessment is, but they're approached a risk assessment, you know, really, with the assessment we're working, you know, kind of in here. They actually start off with identifying the system or characterizing it.
02:49
What that part really is
02:51
is that's establishing the contents of the system in its value. That really is more risk identification right where we figure out the contents of a system and what its work. So now we get into figuring out what are the vulnerabilities and threats because you have to have the two tow have a risk. Then we're gonna figure out what controls are in place,
03:09
probability and impact.
03:12
What amount of risk that these pieces right here, that's the real peace. That is Thea Assessment. From there we moved to controls and then of course we document.
03:23
All right, So with our system characterization, like I said, we're figuring out What's the system used for? What's the classification of data that system contains? What are the losses? What's the potential for Los Ah, whether it's damage to the organization as a whole? Or does it cost me revenue if this system is down? So right here,
03:43
we're evaluating our asset.
03:46
Now the second step threat identification. We've seen this slide before, right? Rogue infrastructure, law, malware of all these different types, not to mention the numerous other threats that come from all sorts of different directions. This is from White Hat and this actually couple years old. But
04:02
ah, lot of this is still very valid just to give you an idea
04:06
of the different threats that are out there. Cross site scripting,
04:11
Huge threat today. Information leakage. So confidential information. Ah, spoofing for authorization code injection. You know what all of these threats very, very frequent, especially in certain environments. And they are
04:30
you know, these threats are very valid,
04:31
but without a vulnerability, they don't matter, right? So cross site scripting is a huge threat. But if I have a well written well designed, well verifying validated website.
04:42
Cross site scripting isn't a threat to me. So the point that I want to make is you only have a risk. If you have both a threat and vulnerability, millions of threats out there, let's work on our vulnerabilities and close those up. We move on next to control analysis.
04:57
This is where we look at the situation. We look at the controls that we already have in place.
05:02
So what we're considering here is it's not like I'm just walking into a brand new building that has no policies, Has no systems were evaluating our current environment. And we have controls in place. And the question is, are they working? Well,
05:17
how much money am I losing? Based on materialized threats. I have any virus software yet. I lose a $1,000,000 a year for viruses.
05:27
Probably not working very well. So we take a look at the systems that are in place to figure out. Is this Ah. Is this, uh, continuing to work for us? Like I said, where we're moving, what we want to get to his vow to you.
05:42
I need something that I can make decisions on
05:45
the problem with that is I can't jump straight to quantitative dollar value. I have to start with qualitative. And here's why.
05:53
Qualitative is sort of the foundation for quantitative.
05:58
What qualitative analysis does is it allows us to gather a group of people, maybe our risk teen, maybe our i t team. Or maybe it's for specific project. We have a risk team, whatever that may be. I'm gonna gather these people together, and I'm gonna say, Look, let's talk about technical threats to our project.
06:15
What are some things that you think that could cause? Ah, threat to the development of this website from the technical aspects.
06:23
Okay, what about, um from physical threats? You know, what about the location of our facility? What about fires, floods, hurricanes, those sorts of things. So what we do when we do qualitative analysis is we brainstorm. We come up with all the threats that we can think of,
06:41
we prioritize them that we organize them.
06:44
I don't know if you've ever seen a risk breakdown structure that's basically just a hierarchy of the risks on a project or or in relation to an event.
06:53
And we use qualitative analysis just to get the threats out there, right just to talk about him. Just a brainstorm. And when we do that, before I move on,
07:03
ultimately on next step is to kind of put him in order based on our perception of their probability and impact.
07:12
It's a good starting place,
07:14
But are we right? Like I said, this is kind of subjective, My opinions very different than yours. You know, everybody knows what they know based on their experiences. So we move from here into the facts, give me the facts. Let's do a quantitative analysis. So let me go back and do some research.
07:31
I'm deciding whether or not I want a corporate fire.
07:35
My guess is yes, but let's do some investigation. All right. So, um, I seen your network technician says, you know, we're gonna lose a lot of money if I don't put a firewall here.
07:46
What does that even mean? You know, is a lot of money. 10 bucks, because on some weeks maybe it iss there's a lot of money. 10 million. Well, that's where quantitative analysis comes in. So what we're gonna do is we're gonna quantify some of the risks. All right? So we said in qualitative analysis, without a firewall, we can have
08:05
malicious threat from the outside.
08:07
Okay, we can have a tax on our confidentiality, our integrity, our availability. All right, so let's just talk about availability.
08:16
So without a firewall to protect our Web service, for instance, um,
08:22
there is ah ah, 38%. Let's not let's use tricky numbers. There's a 50% chance that we're gonna have a compromise on our Web server. Okay? And that's just done. Let's say we've done research we're looking at based on the size of our organization, comparable agencies in the same sort of field.
08:41
You know, we're gathering information from all the sources that are available.
08:46
Could be everything from our competitors. Information published at a insurance companies. Wherever we get that information, we found that there's a 50% chance we're gonna have a compromise.
08:56
All right, well, if they're gonna denial our Web server if they're gonna DDOs our web server, let's say that way. Um, then our web server will be available
09:07
for every 15 minutes. My Web servers down because of the revenue it generates for us.
09:13
If it's down, let's say for every hour, it's down. I lose $100,000.
09:18
All right, well, I've got a 50% chance that without a firewall, my Web server will fall under attack
09:24
at $100,000 per hour.
09:28
I'm looking at a $50,000 per hour risk, if that makes sense.
09:33
So the point that I wanted to make is you've gotta have those kind of numbers to say, Well, all of a sudden,
09:41
you know, a firewall of $15,000 doesn't sound so bad if it protects me from the potential of losing $50,000 an hour.
09:48
Right? So what we have to do is we have to compare the potential for loss
09:54
with the cost of the countermeasure and make a good business decision. If you remember me saying that you want just enough security to provide the degree of protection that you want
10:05
without spending more than the potential for loss, that's exactly it. That is what a quantitative analysis gives me.
10:13
So fact based, it takes time. You got to do your due diligence. You got to get the numbers together. You need some experts working with you because this will be the driver for how much money you spend to mitigate. Don't make a mistake here. We make our control recommendations based on cost benefit analysis.
10:31
And if you'll remember my answer, how much security is enough?
10:35
Just enough.
10:37
Don't spend more than potential for loss.
10:39
So I've got that quantitative analysis and I just want to go back to give you a couple of terms. These could show up on the exam. It's definitely possible, but certainly having an understanding of thes and their value, what they mean to us. Ah, definitely important.
10:56
All right, So if you think back to our discussions, what have I said? Just threw out this entire class, the very first step of risk management.
11:07
That first step is. Identify your assets, right, identify and evaluate your assets. Here's what I'm protecting. Here's what it's worth.
11:16
So, ah, when we do, some of these calculations will refer to asset value. Is a V
11:22
easy enough? Eh? We'll take our asset value
11:26
now. Another piece that will look at is called the exposure factor. If you'll remember when we were talking about, um,
11:35
loss, we said we need two things to calculate loss. The probability that it will happen and how much damage will happen if it does. This is the damage piece exposure factor. This is the impact piece. If I have a fire and lose 70% of my home,
11:54
that's the exposure factor. That 70% loss.
11:58
That's the impact
12:00
probabilities actually, down here, an annual rate of occurrence. I said there was a 50% chance of denial of service attack on my Web server.
12:09
So 50% is the E. R. O. The assumption would be per year.
12:15
Okay, again, that could be a little iffy. You could make your arguments with that. But that's general. The generally the assumption. So if I have three failures
12:24
in six years,
12:26
the annual rate of occurrence three failures six years, once every two years.
12:31
All right, single loss expectancy.
12:35
Every time I suffer a loss, how much do I lose?
12:39
Every time this risk event materializes, what does it cost me?
12:43
I have $100,000. That's my asset value.
12:46
I'm gonna lose 50% of it. The exposure factor.
12:50
So what did it cost me?
12:50
$50,000.
12:52
So asset value times exposure factor
12:56
equal single loss expectancy
12:58
every time we have a loss what does it cost me?
13:01
All right now, this loss, whatever it may be, happens three times per year, three times per year. I lose $50,000. That's a total annually of 150,000.
13:13
So these air numbers that we use, um, to to assess
13:20
the value of the loss, and I cannot stress enough these numbers aren't easy to come up with. You know, on the test, they'll say, You know, your data is valued at $10,000 or you have a warehouse worth blah, blah blah. They'll tell you that. But of course, it's very complex to calculate the values here, um,
13:39
total cost of ownership. Make sure we understand that when we purchase a mitigation technique or strategy or control, rarely is it a one time expense. You know, let's say, um, purchase any virus software, but yearly, I have to pay an update feet.
13:56
I always think whenever I talk about total cost of ownership, I always think about jet vs LaserJet printers and how you can get an ink jet printer for nothing. I mean 30 bucks. The problem with that is the cartridges last a week, and then you have to pay $30 for every new cartridge you want. Whereas in the long run, your laser jets are much cheaper
14:16
in the big picture.
14:18
And always we want to keep in in mind that total cost of ownership.
14:22
The other thing that we want to know is are oh, I return on investment.
14:28
If I spend money, I want something for it. I want some value. So if I implement a control, I want that control to save me money.
14:37
So if I find out that per year I'm losing $150,000
14:41
but the control cost me 100 and 60
14:45
that doesn't make sense to do right.
14:46
So I want to get that positive return on investment, which essentially means I want to spend last per year,
14:54
then the annual loss expectancy associated with the threat.
14:58
So those are some numbers and some ideas. Um, if I were testing, I probably freeze the screen here. I probably Paul's and make sure I have a good definition for these because these are very important ideas in the world of risk management. A cz Well, as the ideas
15:13
a SZ faras, any formulas would go, you know, understanding that asset value times exposure factor
15:20
gives me single loss.
15:22
Single lost times. A roo gives me annual loss
15:26
and I want the return on investment to be positive.
15:28
Thank you.
15:30
So hopefully that's helpful.
15:31
All right, so these air the formulas, Paul's the screen. Here, you can see how we get single loss expectancy, annual loss expectancy, TCO and roo. I return on investment. So just to clarify this,
15:46
how much money am I losing on this threat? Before I do anything about it, I'm losing $100,000.
15:54
I implement the control. Now I'm only losing $20,000.
15:58
Let's save me $80,000.
16:00
Hey, except the control calls something as well, right? So I have to subtract that out to get the total value of what the control was worth to the company. And I hope that makes sense. But I would certainly advocate pausing here is well, these formulas air fare gain both is just memorizing the formulas,
16:18
but they could also give you may be a short scenario
16:22
and ask you to calculate a, l E or even possibly return on investment

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor