Risk Assessment and Analysis

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> For our second step of the risk management life cycle,
00:00
we're going to be looking at risk assessment.
00:00
Risk assessment is all about
00:00
figuring out a value for the risk.
00:00
What do we stand to lose?
00:00
Because I can't appropriately choose
00:00
a mitigation strategy until
00:00
I understand the value of the risk.
00:00
In risk assessment, we can look at
00:00
both qualitative and quantitative analysis.
00:00
Both of them are concerned with getting a value.
00:00
It's just that a qualitative analysis
00:00
is more subjective in nature and
00:00
a quantitative analysis is
00:00
more fact-based, more objective.
00:00
Again, now we're focused on value.
00:00
Now that value can come in
00:00
two different flavors, qualitative analysis.
00:00
This is usually our starting point,
00:00
and you're doing qualitative analysis when
00:00
you're using words like low, medium, high.
00:00
How much of a chance is there
00:00
it's going to rain this weekend?
00:00
There's a medium chance.
00:00
That's a qualitative analysis.
00:00
The thing about a qualitative analysis is
00:00
it doesn't require research.
00:00
It really is more based on gut feeling.
00:00
It's based on experience,
00:00
which is one of the reasons that it's so
00:00
important that when we're seeking qualitative analysis,
00:00
we have experienced subject matter experts
00:00
because I can only tell you what
00:00
I've seen based on my experience.
00:00
It's subjective, based on what I've been exposed to.
00:00
We want to make sure that we have
00:00
a risk team that's cross-functional,
00:00
a team that can address
00:00
risks that have seen hardware issue,
00:00
software issues, environmental issues,
00:00
business-related issues, value related issues.
00:00
We don't just want somebody with very narrow,
00:00
limited exposure because the
00:00
more balanced our risk team is,
00:00
the better our analysis will be.
00:00
The qualitative analysis job is to help me
00:00
prioritize risk based on probability and impact,
00:00
but again, at a very subjective level.
00:00
This is a quick way to prioritize
00:00
these risks to determine where my focus will go first.
00:00
One of the ways that we conduct
00:00
a qualitative analysis with
00:00
our subject matter experts is we
00:00
may use something called the Delphi technique.
00:00
The Delphi technique means we're going to allow
00:00
them to input data anonymously,
00:00
just associate anonymous input with the Delphi technique.
00:00
If I handout surveys,
00:00
I'm more likely to get honest feedback if
00:00
people don't have to attach their name to the survey.
00:00
That's the Delphi technique.
00:00
Now, once we've prioritized our risks,
00:00
now we want to think about getting
00:00
a dollar value for the risk.
00:00
Now you can't always get a dollar value for all risks,
00:00
and quite honestly,
00:00
quantitative assessment isn't always dollar value.
00:00
But most of the time it is.
00:00
Tell me in dollars what I'm
00:00
going to lose based on this risk.
00:00
Because only then can I tell you in
00:00
dollars how much money I want to
00:00
spend to mitigate the risk.
00:00
The whole purpose of this risk assessment is to
00:00
determine what my risk results
00:00
should be or risk response rather should be.
00:00
With quantitative, this is
00:00
going to be based on empirical data.
00:00
You have to do your research.
00:00
I need to know not
00:00
that it's probably going to rain this weekend,
00:00
but I need to know based on historical evidence
00:00
this week for the past 10 years
00:00
it's rained 80 percent of the time.
00:00
Tell me about the barometric pressure.
00:00
Tell me about all those details that really can give
00:00
me a more detailed perspective
00:00
and a greater understanding based on,
00:00
again, probability and impact.
00:00
It takes longer to get quantitative information,
00:00
but it's easier to use
00:00
that quantitative analysis in a business environment.
00:00
Now, with qualitative assessments,
00:00
a lot of times we use what we
00:00
see here is called the heatmap.
00:00
This is a probability and impact matrix with the idea of,
00:00
let's give our qualitative terms a numeric value.
00:00
We'll just say, on a scale of 1-5,
00:00
how likely is this event to happen and what's the impact?
00:00
Probability and impact.
00:00
You could tie that to likelihood and severity as well.
00:00
What we can see in this is
00:00
that those issues that are in red,
00:00
those are going to be those risks items that we
00:00
have to have an active risk response.
00:00
We got to mitigate the loss potential is too high.
00:00
Now in the green areas,
00:00
we might be more willing to accept
00:00
those risks because they're lower.
00:00
Now, this is going to be unique to your organization,
00:00
how you prioritize risk,
00:00
but then if I look at a risk and say,
00:00
a denial of service attack has a high likelihoods,
00:00
so that's at four,
00:00
it would have a very high impact,
00:00
so that gives me a risk score of 20.
00:00
That might go into my risk register as well,
00:00
because that risk score could then be used
00:00
to help me figure out how to prioritize.
00:00
With quantitative analysis, there's
00:00
a lot more experience required because like I said,
00:00
we need the facts.
00:00
I want historical information,
00:00
maybe I want results from the incident response team,
00:00
and perhaps lessons learned and other documentation.
00:00
I want to consult insurance companies perhaps.
00:00
I'm really going out and I'm doing
00:00
my due diligence so that I can base decisions on fact.
00:00
Because what I ultimately want to do is to be able
00:00
to justify a particular risk response.
00:00
Now there are some formulas
00:00
associated with quantitative analysis.
00:00
Word on the street is they're not
00:00
asking you to use these formulas,
00:00
so you're not going to have to memorize
00:00
that asset value times exposure factor
00:00
equals single loss expectancy, whatever.
00:00
But what you will need to know
00:00
is what each of these mean.
00:00
You don't even have to memorize EF means exposure factor,
00:00
but you do need to know what it means.
00:00
For instance, with asset value,
00:00
it's where we always start.
00:00
What's the asset worth?
00:00
Exposure factor.
00:00
What's the impact if this risk event materializes?
00:00
How much of the asset am I going to lose?
00:00
Now if I have a $300,000
00:00
asset and I lose 50 percent of it,
00:00
well then that's $150,000 loss.
00:00
That's the single loss expectancy.
00:00
How much am I going to lose
00:00
every time this risk event materializes?
00:00
Now, I may have
00:00
very large or very small single loss expectancies,
00:00
but really to put it in context,
00:00
I need to think about it,
00:00
how often does this loss happen?
00:00
That's where annual rate of
00:00
occurrence, that's the probability.
00:00
How often per year does this threat materialize?
00:00
If I have a single loss expectancy of a $150,000,
00:00
but that only happens once every 1,000 years.
00:00
That's not a huge impact.
00:00
But if I'm going to lose a $150,000 three
00:00
times in the annual rate of occurrence,
00:00
well, that's almost $0.5 million loss.
00:00
That certainly would be a concern.
00:00
Single loss expectancy and annual rate of occurrence
00:00
give me the annual loss expectancy, the ALE.
00:00
That tells me how much each year I expect to lose.
00:00
Now when we're determining control,
00:00
we're going to look at that annual loss expectancy
00:00
and the annual cost of the control and figure out,
00:00
can we get a control,
00:00
a solution that gives us a positive return on investment?
00:00
If I was losing $450,000 a year,
00:00
and I implement this control and I'm only
00:00
losing a $100,000 per year,
00:00
well, depending on the cost of the control,
00:00
that sounds pretty cost-effective.
00:00
We want a good return on investment.
00:00
What I spend needs to be less than what value I receive.
00:00
Also, don't forget when you're looking at controls,
00:00
you have to consider the total cost of owning a control.
00:00
I may buy an anti-malware package,
00:00
but I have to make sure as well that
00:00
I consider as part of the cost,
00:00
updates and yearly fee,
00:00
subscription fees, that thing.
00:00
Because often controls don't
00:00
just come with a onetime cost,
00:00
and then again, that will
00:00
play into the return on investment as well.
00:00
Now this is just a quick shot.
00:00
You can do a screen grab of
00:00
this for technically how we go
00:00
about determining the value
00:00
of control or the return on investment.
00:00
But I don't want you worrying about that for the exam,
00:00
you will not need to plug in these figures.
00:00
But again, it's just good information to have.
00:00
With your steps, start with asset value,
00:00
look at potential for loss being probability and impact.
00:00
Exposure factor is impact.
00:00
Figure out what you're going to lose
00:00
each time this event happens.
00:00
Figure out the ARO,
00:00
which is how many times a year it'll happen.
00:00
Get your ALE, annual loss expectancy,
00:00
and again, one last time,
00:00
that will drive your choice of countermeasure.
00:00
How much money I'm going to lose is going to
00:00
dictate how much money I'll spend to mediate the risks.
00:00
This section, we looked at
00:00
the importance of assessment of risks,
00:00
getting a value for our risks.
00:00
We looked at both qualitative and quantitative analysis,
00:00
and then I also showed you some of the formulas.
00:00
I wouldn't worry about the formulas,
00:00
but I would certainly be concerned
00:00
and make sure I know the quantitative terms.
Up Next