now, after we're complete with our risk assessment. We understand the value of what we're protecting, and we have an idea of the threats and the vulnerabilities. Now what we want is a value and value can come in two ways. It could be a qualitative value or quantitative value.
Now the qualitative value is all about, um, subjective sort of line of thought, gut feeling. Ah, prioritization off the risks. So, for instance, if I'm throwing a picnic in two weeks, what's a threat?
All right. How big a potential for weather to disrupt my picnic in the month of December?
Well, that's pretty high, right? That's qualitative analysis that's based on my gut feeling that's based on my experience. What I expect
that means I'm doing a qualitative analysis. So when we're talking about high medium, low probability, that's qualitative.
Um, the Delphi technique, which is mentioned in the slide, means that as someone that's involved with risk analysis, I don't work alone. I have to talk to my subject matter expert experts, other members of my team, and I want their input,
and a good way to get input from other team members is to allow them to input information anonymously and when we're doing anonymous are asking for anonymous input. We're using the Delphi technique with the idea that people would be more honest if they can creep contribute anonymously
so that qualitative means of analyzing analysing risks. We talk with our team members are subject experts. We allow them to contribute anonymously, if possible. And what we come up with is high, medium and low rankings of our risk. Now that doesn't tell me how much money to spend, but it
Della's help me prioritize.
Ah, lot of times when we're using qualitative analysis will come up with something called the Probability and Impact Matrix or this severity and likelihood again, likelihoods Just like probability. Severity is like impact. And when we do this, what we're gonna do is indicate certain risks have a very high severity and a high likelihood,
some less of a severity, but still a relatively high likelihood. Some have a very low severity, but a very high likelihood. We're just kind of reading this chart, but the bottom line is this is really a, um,
a subjective chart. Your organization is gonna create this chart based on your internal structure. So nothing's written in stone about this chart. But very frequently we do have a diagram or some sort of visual clue that will help us understand, which are the risks we need to focus our money on.
So if you were to look at the screen and you see that we have a risk here that has a high severity
and a high likelihood, that's a risk. We better focus on quickly because that risk is gonna have the highest potential for damage and create a lot of damage so very important. Whereas if we have something with a very low potential likelihood in the low severity, we may choose not to spend as much money on that risk.
So the qualitative analysis will guide us to
what we really want to get, too, which is the quantitative analysis. This requires more expertise. It requires more time. We're gonna use calculations we're gonna use math to determine I'm an English major. So using math is not always the greatest joy of my life. But
we're gonna use math. We're gonna get the numbers, and we're gonna do some fact based analysis
that will give us the numeric ideally the dollar value of a risk that will then drive us into how much money will spend.
So when we're doing quantitative analysis, we've gotta figure out some pieces of information.
Remember from earlier we said the very first step, when we're doing risk management, is to identify and then evaluate our assets. So I'm gonna look at an asset value as my first means of beginning quantitative analysis. I'm protecting a building that's $300,000.
That's the value of the assets.
Hey, just what's the asset worth? And when we come up with the asset value, remember, we don't just estimate hardware calls. We've got to think about all the things that go into giving an asset without
okay, which would be many untangles
now, the next element exposure factor. How much of that asset am I gonna lose if the risk does materialize?
So I've spent $10,000 on this picnic.
If it rains, it'll be an 80% loss because 80% of the staff won't show up. We've determined that Hey, that's my exposure factor.
If we have $100,000 worth of data and 50% of it will be lost if a virus attacks. Well, that's a $50,000. I'm sorry. That's a 50% exposure factor.
A now single loss expectancy. How much money will I lose each time this event happens? So we have $100,000 worth of Dad. I have a 50% exposure factor. My single loss expectancy is $50,000.
Every time we have this compromise, I'll lose $50,000.
But I'm probably not gonna have this event happen every year. Or maybe I will. Who knows? What's the type of threat?
Annual rate of occurrence tells me how frequently per year this event will happen.
Annual, uh, rate of occurrence. So that's the probability. How likely is this toe happen? Exposure factor, really is the impact, right? How much am I gonna lose? Annual rate of occurrence is the probability.
Ultimately, then we want an annual loss expectancy.
Hey, how much do I spend on this particular risk per year?
All right, so we've already said I've got $100,000 worth of data
and I'll lose 50% of that data. There's a compromise, so that gives me a single loss expectancy. $50,000
But if this loss happens three times per year,
well, now I've got an annual loss expectancy of 150,000 families, $50,000.3 times a year. So that's an annual loss expectancy of 1 50
Hey, so that's kind of how this works. I doubt you'll really have to do calculations, but you will need to understand the principles off quantitative analysis you'll probably have to on this test. Answer a couple of questions. What is this term mean? Because again, I cannot stress enough. This is one of the most important concerns
going into developing. Our software
is understanding the appropriate amount of security, and I don't know what the appropriate amount of security is. Unless I truly understand the potential for laws. Remember, security will always cost me something.
How much will it cost? Comes from quantitative analysis.
All right now, total cost of ownership when we implement controls, How much money does it cost us to implement a control over its life span so we might implement any virus software that has an up front cost of $5000 but we have a maintenance fee of $1000 every year,
so We've gotta figure that into the total cost of ownership.
And then ultimately, when we look at how much this safeguard has saved us, how much money it saved us, that's the return on investment.
So for every dollar I spend, what did I get back? What did I say?
So that's return on investment in all of thes air, very important when it comes to really understanding lost potential.
So just, ah, little bit of an overview again to get my single walls expectancy, take the asset value times exposure factor. And again, this could pop up on the test. So I would take a few minutes to memorize these terms and then these formulas.
But ultimately, if you don't get so caught up in memorizing the formulas and you just think it through,
you know, every time this happens, it cost me $10,000. It happens four times a year. What's my annual loss? $40,000. You don't have to get so tangled up in memorizing formula for that