 # Quantitative Risk Assessment

Video Activity
Join over 3 million cybersecurity professionals advancing their career
or Time
1 hour 39 minutes
Difficulty
Intermediate
CEU/CPE
1
Video Transcription
00:01
This is risk management and information technology.
00:03
In this lesson we will learn about the quantitative risk assessment process, different quantitative calculations and analysis of the results.
00:13
In our previous lesson we discuss qualitative risk assessment. In this lesson we will discuss quantitative risk assessment, which is the calculation based risk assessment process that uses probability percentage to determine risk.
00:29
In quantitative risk assessment, we use dollar figures to determine levels of risk, potential loss, a cause of countermeasures, and the valley of safeguards. This allows management to determine the prioritization of risk management decisions.
00:42
This is an overview of the quantitative risk management process.
00:47
The risk assessment team determines the value of the asset that carries the risk.
00:52
Then they calculate exposure factor.
00:56
Then the risk assessors calculate the single loss expectancy,
01:00
then they assess the annual rate of occurrence,
01:03
then they derived the annualized loss expectancy.
01:08
After all the data is gathered and calculated. The risk assessment team performs a cost benefit analysis of the counter measures applied towards the risk.
01:18
After that overview let us deep dive into each step of the process.
01:23
The risk assessment team determines the asset value to each asset by assigning a dollar value to the asset.
01:30
An asset can be an existing inventory, hardware devices, structure or any property organization has
01:38
and organizations, reputations as customers and potential customers.
01:42
This valley is determined by the market and the demand of the asset.
01:49
We calculate exposure factor,
01:52
which is the potential loss and percentage of loss. If a threat is realized or a curse,
01:57
we didn't calculate for the single loss expectancy.
02:00
This is the exact amount of loss that organization would experience once the trade occurs.
02:05
This can be calculated using the exact, as soon as the asset value multiplied by the exposure factor.
02:13
For example, we have a data center with servers, equipment and personnel that is valid \$100,000 with an exposure factor of 45%.
02:22
That's silly. Can be calculated at \$45,000.
02:25
The annual rate of occurrence is expected frequency of the threat.
02:30
On an annual basis.
02:30
It can range from zero to a large number and is derived from historical records, statistics and industry data available to the risk of specimen team.
02:42
Then we calculate for the annualized loss expectancy, which is the yearly cost of all instances of realized threats.
02:49
This means the total cost of all risks that happened to the organization.
02:53
This is calculated as S. L. E. Multiplied by the arrow.
02:57
For example, we have an outage at the data center, which is where in a year and that will cost \$25,000 for the currents.
03:05
Whereas losing the entire data center in a fire would cost organization \$1.125 million.
03:10
Now let's talk about how quantitative risk assessment calculates risk.
03:15
The basic risk calculations. The annualized loss expectancy.
03:20
This is a daunting process that uses software modeling and automated tools that have predetermined asset valuations.
03:27
These valuations are basic geography,
03:30
industry and asset types.
03:34
We can also calculate for annualized loss expectancy with safeguard.
03:38
If the safeguard is implemented,
03:40
this is done by adding a line item for ellie. If a safeguard is implemented,
03:46
each exposure factor, an annualized rate of occurrence is specific to safeguard.
03:50
The safeguards should reduce the number of times that I just realized
03:53
and this is used in cost benefit analysis to help management make risk based decisions.
04:00
The safeguard cost includes purchase of the safeguard, implementation costs, licensing and customization.
04:08
The cost of deploying A safeguard should be lowered the national value of the asset.
04:13
The safeguard may also have annual costs, such as maintenance agreements, professional services or licensing fees, which is called the annual cost of safeguards.
04:24
This is done by determining the annual clause expectancy for both before and after implementing a safeguard and subtract the annual cost of the safeguard.
04:33
For example,
04:35
using fire retardant technology,
04:38
temperature sensors, smoke and fire alarms are applied to the data center we had discussed earlier.
04:44
They live for losing the entire data centers 1.125 million, which is derived from 45,000, which is the sle
04:53
multiply the number of service from our previous example,
04:57
If the safeguards are applied,
05:00
we can hypothetically reduced the damage of fire to localized part of the data center and potentially just lose five servers in the process,
05:08
Multiplied with a single loss expectancy rate of the data center. This results in \$225,000.
05:16
The annual cost of safeguards provided by the hypothetical vendor in this case is an additional 25,000.
05:25
With this in mind we can calculate that the value of losing the entire data center is is at \$1.125 million. And adding the safeguard costs. An annual cost of maintaining the solution is 875 thousands in savings. After applying the safeguards
05:40
from here, we can follow two rules. One is that if the result is negative, it is not a financial responsible choice,
05:46
but if the result is positive,
05:48
As we can see here, the annual savings is equal to return 75,000.
05:56
Finally, let's discuss the cost benefit of the safeguard.
05:59
The values that the analysts may come up with
06:01
do not necessarily reflect real world boss.
06:04
The value of each safeguard should be sorted from greatest to lowest to return. Prioritization of management
06:10
and in doing so, we should considered a security and operating budget and always consider the bottom line and the value of the benefit.
06:20
In summary
06:21
today's lesson, we discussed the quantitative risk analysis process.
06:27
We talked about the equations used in a quantitative risk analysis.
06:30
We also calculated the cost and benefit
06:33
and analyzed the results.
06:39
Thank you for completing this lesson.
06:41
Is this your instructor robert gown?
Up Next