Risk Analysis

00:01

Listen 4.7 risk analysis

00:07

In this video, we will cover the risk analysis steps.

00:10

We'll take a look at a few risk analysis methodologies,

00:14

and we'll also look at the likelihood and impact scoring example.

00:23

Here we go into the nitty gritty of really understanding the information and starting to quantify the risk level from the scenarios in the previous steps.

00:31

The level of detail that one goes into is dependent on a variety of factors.

00:37

Essentially, it's your choice. As long as the risks are identified and managed.

00:42

Here are a few key steps

00:44

These are steps outlined in ISO 27,000 and five,

00:49

so these could be tailored and adjusted based on the needs of your organization.

00:55

With regards to methodologies, you can pretty much use any risk management methodology you want.

01:00

You can choose to use I. So 27,005

01:04

Next 800-37.

01:08

I ran to whatever works for your organization.

01:14

The biggest differentiator to take note of here is whether you're going to go for a qualitative approach or quantitative approach

01:21

or even a hybrid of the two.

01:23

During the assessment of consequences, one tries to better quantify or understand the consequences in terms off the asset value.

01:32

The assessment of likelihood is quite critical,

01:36

as this is where, one determines, is the scenario likely to take place or not?

01:41

The best way to determine likelihood is to look at history within your organization.

01:46

Has this incident occurred in the past and if so, how often?

01:51

What allowed it to happen? Or is it something that is not preventable?

01:55

Often your organization would already have an enterprise risk management framework defined, and it can be a lot easier to keep The process is linked and use the likelihood levels to find in your enterprise risk management framework.

02:08

The level of risk determination is the final step on. This puts a final indication of likelihood and impact or the consequence level

02:16

to a particular incident.

02:19

These can be quantitative or qualitative, depending on the methodology you chose previously.

02:24

There are some methodologies out there that could make working out the risk level quite easy.

02:30

Some of these have been incorporated into the simple risk tool, which will take a look at later.

02:38

So to go over the steps of risk analysis, once again,

02:42

we look at and choose a risk analysis methodology.

02:46

We will assess the consequences

02:49

well. Macon Assessment Off

02:51

incident, livelihood

02:53

And then we will determine the live a lot of risk and impact.

03:09

There are many ways to score risks, especially when it comes to information security risks.

03:15

I've listed a couple of these methods here.

03:17

These methods are ones included in the really cool tool called Simple Risk,

03:22

which will be doing a demo on in the next section.

03:25

The type of risk scoring you use will also depend on the risk quantification methodology you have chosen.

03:32

A quantitative approach might be better supported with a more numbers based approach to better support the objectivity and quantitative elements required,

03:42

while qualitative, is always a lot more subjective in nature,

03:46

however, you can hybridize approaches and blend them as having just one of the other is sometimes not as effective as a combination of both.

03:55

You can go and check out the demo of the simple risk tool and play around with these risk scoring techniques.

04:00

Once you've had a look at them and see them in a practical manner, it is much easier to choose which one works best for you.

04:09

The really cool thing about using a tool like simple risk

04:12

is you can school eat risk differently.

04:15

A more qualitative risk, such as a disgruntled employee taking down a server,

04:19

can be scored using the classic method,

04:21

while a cross site scripting attack on a Web application can be scored using the arose Oh WASP risk scoring method

04:31

To run through these examples,

04:34

the first one is the classic risk scoring method, which is simply likelihood. Times impact.

04:42

The C. V. S s method uses C. V S s metrics to determine every score.

04:49

Dread

04:50

determines a risk based on the damage potential.

04:55

Reproduce ability, exploit ability, affected users and discover ability.

05:01

00 wasp, which we will go through in an example after this slide

05:06

uses two categories of likelihood and two of impact. To determine a risk or

05:13

contributing risk. Uses one chosen likelihood

05:16

and has a user defined amount of weighted factors contributing Thio impact.

05:23

For example,

05:24

you can sit confidentiality, integrity and availability as impact factors and wait each one differently

05:31

to come up with an overall waited

05:34

impact school.

05:41

Let's do a quick example

05:44

for incidents that related vulnerabilities and technology,

05:46

such as devices or software.

05:48

We're going to use the oh WASP risk rating methodology.

05:54

It uses four factors to come up with the rating for likelihood

05:58

as well as technical and business impact.

06:00

This considers threat agent factors of skill level, motive, opportunity and size.

06:09

Next, it looks at vulnerability factors off ease of discovery, ease of exploit awareness and intrusion detection.

06:17

The impact is split into technical and business impact.

06:21

The technical impact looks at loss of confidentiality,

06:26

loss of integrity,

06:28

loss of availability and loss of accountability.

06:31

The business impact looks at financial damage,

06:35

reputational damage,

06:38

non compliance

06:40

and privacy violation.

06:43

Each of these has a number of options within them with various scores,

06:46

which, when entered into the OAS formula, it will give you ratings for the likelihood and impact.

06:54

You can also use the levels defined by your enterprise risk management framework and subjectively match the best levels.

07:01

The OAS risk framework is grateful, focusing on technical scenarios,

07:06

especially when one needs to feed through results of penetration tests and vulnerability assessments into the risk management process.

07:23

With the uh worst example shown previously, the likelihood and impact levels can range from a scale of 0 to 9

07:30

to work This art simply add together all the values in the categories on divide by the total number of factors considered.

07:40

For example, likelihood would be made up of the score of skill level plus motive

07:46

plus opportunity plus size plus ease of discovery, plus ease of exploit plus awareness plus intrusion detection

07:55

divided by eight.

07:57

The technical impact would be made up of a loss of confidentiality, plus a loss of integrity

08:03

plus the loss of availability

08:05

plus the loss of accountability divided by form.

08:09

The business impact would be made up of financial damage

08:13

plus reputation damage

08:16

plus non compliance

08:18

plus privacy violation divided by four.

08:28

To summarize

08:31

in this lesson 4.7

08:33

we covered the steps in risk analysis as per I. So 27,000 and five

08:39

which aligns to the steps required

08:41

in I so 27,000 and one.

08:45

We also looked at some of the types of risk scoring methods available,

08:48

as well as the difference between quantitative risk analysis and qualitative risk analysis.

08:54

We then went through an example of determining impact and likelihood