Listen 4.7 risk analysis
In this video, we will cover the risk analysis steps.
We'll take a look at a few risk analysis methodologies,
and we'll also look at the likelihood and impact scoring example.
Here we go into the nitty gritty of really understanding the information and starting to quantify the risk level from the scenarios in the previous steps.
The level of detail that one goes into is dependent on a variety of factors.
Essentially, it's your choice. As long as the risks are identified and managed.
Here are a few key steps
These are steps outlined in ISO 27,000 and five,
so these could be tailored and adjusted based on the needs of your organization.
With regards to methodologies, you can pretty much use any risk management methodology you want.
You can choose to use I. So 27,005
I ran to whatever works for your organization.
The biggest differentiator to take note of here is whether you're going to go for a qualitative approach or quantitative approach
or even a hybrid of the two.
During the assessment of consequences, one tries to better quantify or understand the consequences in terms off the asset value.
The assessment of likelihood is quite critical,
as this is where, one determines, is the scenario likely to take place or not?
The best way to determine likelihood is to look at history within your organization.
Has this incident occurred in the past and if so, how often?
What allowed it to happen? Or is it something that is not preventable?
Often your organization would already have an enterprise risk management framework defined, and it can be a lot easier to keep The process is linked and use the likelihood levels to find in your enterprise risk management framework.
The level of risk determination is the final step on. This puts a final indication of likelihood and impact or the consequence level
to a particular incident.
These can be quantitative or qualitative, depending on the methodology you chose previously.
There are some methodologies out there that could make working out the risk level quite easy.
Some of these have been incorporated into the simple risk tool, which will take a look at later.
So to go over the steps of risk analysis, once again,
we look at and choose a risk analysis methodology.
We will assess the consequences
well. Macon Assessment Off
And then we will determine the live a lot of risk and impact.
There are many ways to score risks, especially when it comes to information security risks.
I've listed a couple of these methods here.
These methods are ones included in the really cool tool called Simple Risk,
which will be doing a demo on in the next section.
The type of risk scoring you use will also depend on the risk quantification methodology you have chosen.
A quantitative approach might be better supported with a more numbers based approach to better support the objectivity and quantitative elements required,
while qualitative, is always a lot more subjective in nature,
however, you can hybridize approaches and blend them as having just one of the other is sometimes not as effective as a combination of both.
You can go and check out the demo of the simple risk tool and play around with these risk scoring techniques.
Once you've had a look at them and see them in a practical manner, it is much easier to choose which one works best for you.
The really cool thing about using a tool like simple risk
is you can school eat risk differently.
A more qualitative risk, such as a disgruntled employee taking down a server,
can be scored using the classic method,
while a cross site scripting attack on a Web application can be scored using the arose Oh WASP risk scoring method
To run through these examples,
the first one is the classic risk scoring method, which is simply likelihood. Times impact.
The C. V. S s method uses C. V S s metrics to determine every score.
determines a risk based on the damage potential.
Reproduce ability, exploit ability, affected users and discover ability.
00 wasp, which we will go through in an example after this slide
uses two categories of likelihood and two of impact. To determine a risk or
contributing risk. Uses one chosen likelihood
and has a user defined amount of weighted factors contributing Thio impact.
you can sit confidentiality, integrity and availability as impact factors and wait each one differently
to come up with an overall waited
Let's do a quick example
for incidents that related vulnerabilities and technology,
such as devices or software.
We're going to use the oh WASP risk rating methodology.
It uses four factors to come up with the rating for likelihood
as well as technical and business impact.
This considers threat agent factors of skill level, motive, opportunity and size.
Next, it looks at vulnerability factors off ease of discovery, ease of exploit awareness and intrusion detection.
The impact is split into technical and business impact.
The technical impact looks at loss of confidentiality,
loss of availability and loss of accountability.
The business impact looks at financial damage,
and privacy violation.
Each of these has a number of options within them with various scores,
which, when entered into the OAS formula, it will give you ratings for the likelihood and impact.
You can also use the levels defined by your enterprise risk management framework and subjectively match the best levels.
The OAS risk framework is grateful, focusing on technical scenarios,
especially when one needs to feed through results of penetration tests and vulnerability assessments into the risk management process.
With the uh worst example shown previously, the likelihood and impact levels can range from a scale of 0 to 9
to work This art simply add together all the values in the categories on divide by the total number of factors considered.
For example, likelihood would be made up of the score of skill level plus motive
plus opportunity plus size plus ease of discovery, plus ease of exploit plus awareness plus intrusion detection
The technical impact would be made up of a loss of confidentiality, plus a loss of integrity
plus the loss of availability
plus the loss of accountability divided by form.
The business impact would be made up of financial damage
plus reputation damage
plus privacy violation divided by four.
we covered the steps in risk analysis as per I. So 27,000 and five
which aligns to the steps required
in I so 27,000 and one.
We also looked at some of the types of risk scoring methods available,
as well as the difference between quantitative risk analysis and qualitative risk analysis.
We then went through an example of determining impact and likelihood
using the over wasp risk scoring method