Risk Analysis

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
Listen 4.7 risk analysis
00:07
In this video, we will cover the risk analysis steps.
00:10
We'll take a look at a few risk analysis methodologies,
00:14
and we'll also look at the likelihood and impact scoring example.
00:23
Here we go into the nitty gritty of really understanding the information and starting to quantify the risk level from the scenarios in the previous steps.
00:31
The level of detail that one goes into is dependent on a variety of factors.
00:37
Essentially, it's your choice. As long as the risks are identified and managed.
00:42
Here are a few key steps
00:44
These are steps outlined in ISO 27,000 and five,
00:49
so these could be tailored and adjusted based on the needs of your organization.
00:55
With regards to methodologies, you can pretty much use any risk management methodology you want.
01:00
You can choose to use I. So 27,005
01:04
Next 800-37.
01:08
I ran to whatever works for your organization.
01:14
The biggest differentiator to take note of here is whether you're going to go for a qualitative approach or quantitative approach
01:21
or even a hybrid of the two.
01:23
During the assessment of consequences, one tries to better quantify or understand the consequences in terms off the asset value.
01:32
The assessment of likelihood is quite critical,
01:36
as this is where, one determines, is the scenario likely to take place or not?
01:41
The best way to determine likelihood is to look at history within your organization.
01:46
Has this incident occurred in the past and if so, how often?
01:51
What allowed it to happen? Or is it something that is not preventable?
01:55
Often your organization would already have an enterprise risk management framework defined, and it can be a lot easier to keep The process is linked and use the likelihood levels to find in your enterprise risk management framework.
02:08
The level of risk determination is the final step on. This puts a final indication of likelihood and impact or the consequence level
02:16
to a particular incident.
02:19
These can be quantitative or qualitative, depending on the methodology you chose previously.
02:24
There are some methodologies out there that could make working out the risk level quite easy.
02:30
Some of these have been incorporated into the simple risk tool, which will take a look at later.
02:38
So to go over the steps of risk analysis, once again,
02:42
we look at and choose a risk analysis methodology.
02:46
We will assess the consequences
02:49
well. Macon Assessment Off
02:51
incident, livelihood
02:53
And then we will determine the live a lot of risk and impact.
03:09
There are many ways to score risks, especially when it comes to information security risks.
03:15
I've listed a couple of these methods here.
03:17
These methods are ones included in the really cool tool called Simple Risk,
03:22
which will be doing a demo on in the next section.
03:25
The type of risk scoring you use will also depend on the risk quantification methodology you have chosen.
03:32
A quantitative approach might be better supported with a more numbers based approach to better support the objectivity and quantitative elements required,
03:42
while qualitative, is always a lot more subjective in nature,
03:46
however, you can hybridize approaches and blend them as having just one of the other is sometimes not as effective as a combination of both.
03:55
You can go and check out the demo of the simple risk tool and play around with these risk scoring techniques.
04:00
Once you've had a look at them and see them in a practical manner, it is much easier to choose which one works best for you.
04:09
The really cool thing about using a tool like simple risk
04:12
is you can school eat risk differently.
04:15
A more qualitative risk, such as a disgruntled employee taking down a server,
04:19
can be scored using the classic method,
04:21
while a cross site scripting attack on a Web application can be scored using the arose Oh WASP risk scoring method
04:31
To run through these examples,
04:34
the first one is the classic risk scoring method, which is simply likelihood. Times impact.
04:42
The C. V. S s method uses C. V S s metrics to determine every score.
04:49
Dread
04:50
determines a risk based on the damage potential.
04:55
Reproduce ability, exploit ability, affected users and discover ability.
05:01
00 wasp, which we will go through in an example after this slide
05:06
uses two categories of likelihood and two of impact. To determine a risk or
05:13
contributing risk. Uses one chosen likelihood
05:16
and has a user defined amount of weighted factors contributing Thio impact.
05:23
For example,
05:24
you can sit confidentiality, integrity and availability as impact factors and wait each one differently
05:31
to come up with an overall waited
05:34
impact school.
05:41
Let's do a quick example
05:44
for incidents that related vulnerabilities and technology,
05:46
such as devices or software.
05:48
We're going to use the oh WASP risk rating methodology.
05:54
It uses four factors to come up with the rating for likelihood
05:58
as well as technical and business impact.
06:00
This considers threat agent factors of skill level, motive, opportunity and size.
06:09
Next, it looks at vulnerability factors off ease of discovery, ease of exploit awareness and intrusion detection.
06:17
The impact is split into technical and business impact.
06:21
The technical impact looks at loss of confidentiality,
06:26
loss of integrity,
06:28
loss of availability and loss of accountability.
06:31
The business impact looks at financial damage,
06:35
reputational damage,
06:38
non compliance
06:40
and privacy violation.
06:43
Each of these has a number of options within them with various scores,
06:46
which, when entered into the OAS formula, it will give you ratings for the likelihood and impact.
06:54
You can also use the levels defined by your enterprise risk management framework and subjectively match the best levels.
07:01
The OAS risk framework is grateful, focusing on technical scenarios,
07:06
especially when one needs to feed through results of penetration tests and vulnerability assessments into the risk management process.
07:23
With the uh worst example shown previously, the likelihood and impact levels can range from a scale of 0 to 9
07:30
to work This art simply add together all the values in the categories on divide by the total number of factors considered.
07:40
For example, likelihood would be made up of the score of skill level plus motive
07:46
plus opportunity plus size plus ease of discovery, plus ease of exploit plus awareness plus intrusion detection
07:55
divided by eight.
07:57
The technical impact would be made up of a loss of confidentiality, plus a loss of integrity
08:03
plus the loss of availability
08:05
plus the loss of accountability divided by form.
08:09
The business impact would be made up of financial damage
08:13
plus reputation damage
08:16
plus non compliance
08:18
plus privacy violation divided by four.
08:28
To summarize
08:31
in this lesson 4.7
08:33
we covered the steps in risk analysis as per I. So 27,000 and five
08:39
which aligns to the steps required
08:41
in I so 27,000 and one.
08:45
We also looked at some of the types of risk scoring methods available,
08:48
as well as the difference between quantitative risk analysis and qualitative risk analysis.
08:54
We then went through an example of determining impact and likelihood
08:58
using the over wasp risk scoring method
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By