# Risk Analysis

Video Activity

This lesson will explain the difference between qualitative and quantitative risk analysis and the benefits of each analysis method. Qualitative analysis: The subjective analysis to help prioritize probability and impact of risk events May use the Delphi technique to solicit objective opinions Quantitative analysis: - Provides a dollar value to a p...

Join over 3 million cybersecurity professionals advancing their career
or

Time
3 hours 54 minutes
Difficulty
CEU/CPE
4
Video Description

This lesson will explain the difference between qualitative and quantitative risk analysis and the benefits of each analysis method. Qualitative analysis:

• The subjective analysis to help prioritize probability and impact of risk events

• May use the Delphi technique to solicit objective opinions

Quantitative analysis: - Provides a dollar value to a particular risk event

• Is much more sophisticated in nature, a quantitative analysis is much more difficult and requires a special skill set

• A quantitative analysis can't exist on its own. A quantitative analysis depends on qualitative information

Furthermore, a qualitative analysis is subjective in nature and uses words such as; "high" "medium" and "low" to describe the likelihood and severity of a threat exposing a vulnerability. A quantitative analysis will require much more experience than a qualitative analysis. In addition a quantitative analysis will: - Involve more calculations to determine a dollar value associated with each risk event

• Business decisions will be made on the basis of quantitative analysis

• The goal of this analysis will be to determine the dollar value of a risk and use that amount to determine what the best control for a particular asset is

A quantitative analysis is necessary for a cost/benefit analysis

Video Transcription
00:04
now, after we're complete with our risk assessment. We understand the value of what we're protecting, and we have an idea of the threats and the vulnerabilities. Now what we want is a value and value can come in two ways. It could be a qualitative value or quantitative value. Now the qualitative value
00:24
Hey,
00:24
is all about, um, subjective sort of line of thought, gut feeling. Ah, prioritization off the risks. So, for instance, if I'm throwing a picnic in two weeks, what's a threat? Weather.
00:39
All right. How big a potential for weather to disrupt my picnic in the month of December?
00:46
Well, that's pretty high,
00:47
right? That's qualitative analysis that's based on my gut feeling that's based on my experience. What I expect
00:54
that means I'm doing a qualitative analysis. So when we're talking about high medium, low probability, that's qualitative.
01:03
Um, the Delphi technique, which is mentioned in the slide, means that as someone that's involved with risk analysis, I don't work alone. I have to talk to my subject matter expert experts, other members of my team, and I want their input and a good way to get input from other team members
01:22
is to allow them to input information
01:25
anonymously and when we're doing anonymous are asking for anonymous input. We're using the Delphi technique with the idea that people would be more honest if they can creep contribute anonymously
01:37
so that qualitative means of analyzing analysing risks. We talk with our team members are subject experts. We allow them to contribute anonymously, if possible. And what we come up with is high, medium and low rankings of our risk. Now that doesn't tell me how much money to spend, but it
01:57
Della's help me prioritize.
01:59
Ah, lot of times when we're using qualitative analysis will come up with something called the Probability and Impact Matrix or this severity and likelihood again, likelihoods Just like probability. Severity is like impact. And when we do this, what we're gonna do is indicate certain risks have a very high severity and a high likelihood,
02:19
some less of a severe it ate, but still a relatively high likelihood.
02:23
Some have a very low severity that very high likelihood. We're just kind of reading this chart, but the bottom line is this is really a, um ah, subjective chart. Your organization is gonna create this chart based on your internal structure. So nothing's written in stone about this sharp. But very frequently
02:44
we do have a diagram
02:45
or some sort of visual clue that will help us understand, which are the risks we need to focus our money on. So if you were to look at this screen and you see that we have a risk here that has a high severity and a high likelihood, that's a risk. We better focus on quickly because that risk is gonna have the highest potential
03:04
for damage
03:05
and create a lot of damage so very important. Whereas if we have something with a very low potential likelihood and the low severity, we may choose not spend this much money on that risk. So the qualitative analysis will guide us to what we really want to get, too, which is the quantitative analysis.
03:23
This requires more expertise. It requires more time.
03:27
We're gonna use calculations we're gonna use math to determine I'm an English major. So using math is not always the greatest joy of my life. But we're gonna use math. We're gonna get the numbers, and we're gonna do some fact based analysis that will give us the numeric ideally the dollar value of a risk
03:46
that will then drive us into how much money will spend.
03:50
So when we're doing quantitative analysis, we've gotta figure out some pieces of information.
03:57
Remember from earlier we said the very first step, when we're doing risk management, is to identify and then evaluate our assets. So I'm gonna look at an asset value as my first means of beginning quantitative analysis. I'm protecting a building that's \$300,000.
04:15
That's the value of the assets.
04:17
Hey, just what's the asset worth? And when we come up with the asset value, remember, we don't just estimate hardware calls. We've got to think about all the things that go into giving and assets out. OK, which would be many untangles
04:33
intangibles now the next element exposure factor. How much of that asset am I gonna lose if the risk does materialize? So I've spent \$10,000 on this picnic.
04:48
If it rains, it'll be in the 80% loss because 80% of the staff won't show up. We've determined that
04:56
Hey, that's my exposure factor.
04:59
If we have \$100,000 worth of data and 50% of it will be lost if a virus attacks. Well, that's a \$50,000. I'm sorry. That's a 50% exposure factor.
05:11
A now single walls expectancy. How much money will I lose each time this event happens? So we have \$100,000 worth of Dad. I have a 50% exposure factor. My single loss expectancy is \$50,000.
05:27
Every time we have this compromise, I'll lose \$50,000.
05:31
But I'm probably not gonna have this event happened every year. Or maybe I will. Who knows What's the type of threat? Annual rate of occurrence tells me how frequently per year this event will happen.
05:44
Annual. Ah, rate of occurrence. So that's the probability. How likely is this toe happen? Exposure factor, really is the impact right? How much am I gonna lose? Annual rate of occurrence? Is the probability
05:58
adamantly Then we want an annual loss expectancy.
06:02
How much do I spend on this particular risk per year?
06:08
All right, so we've already said I've got \$100,000 worth of data
06:12
and I'll lose 50% of that, Dad, if there's a compromise. So that gives me a single loss expectancy. \$50,000.
06:20
But if this loss happens three times per year,
06:24
well, now I've got an annual loss expectancy of 150,000. We'll lose \$50,000.3 times a year, so that's an annual loss expectancy of 1 50
06:33
Hey, so that's kind of how this works. I doubt you'll really have to do calculations, but you will need to understand the principles off quantitative analysis you'll probably have to on this test. Answer a couple of questions. What is this term mean? Because again, I cannot stress enough. This is one of the most important concerns
06:54
going into developing. Our software
06:57
is understanding thehe pro PRI. It amount of security, and I don't know what the appropriate amount of security is. Unless I truly understand the potential for laws. Remember, security will always cost me something.
07:11
How much will it cost comes from quantitative announce.
07:15
All right now, total cost of ownership when we implement controls, how much money does it cost us to implement a control over its life span so we might implement any virus software that has an up front cost of \$5000 but we have a maintenance fee of \$1000 every year.
07:33
So we've gotta figure that into the total cost of ownership.
07:36
And then ultimately, when we look at how much this safeguard has saved us, how much money it saved us, that's the return on investment.
07:46
So for every dollar I spend, what did I get back? What did I say? So that's return on investment in all of thes air, very important when it comes to really understanding lost potential.
08:00
So just, ah, little bit of an overview again to get my single loss expectancy, take the asset value times exposure factor. And again, this could pop up on the test. So I would take a few minutes to memorize thes terms and then these formulas.
08:16
But ultimately, if you don't get so caught up in memorizing the formulas and you just think it
08:20
through, you know, every time this happens, it cost me \$10,000. It happens four times a year. What's my annual loss? \$40,000. You don't have to get so tangled up in memorizing formula for that
Up Next