Risk Assessment
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> For our second step of the risk management lifecycle.
00:00
We're going to be looking at risk assessment.
00:00
Risk assessment is all about
00:00
figuring out a value for the risk.
00:00
What do we stand to lose?
00:00
Because I can't appropriately choose
00:00
a mitigation strategy until
00:00
I understand the value of the risk.
00:00
In risk assessment,
00:00
we can look at
00:00
both qualitative and quantitative analysis.
00:00
Both of them are concerned with getting a value.
00:00
It's just that a qualitative analysis
00:00
is more subjective in nature and
00:00
a quantitative analysis is more
00:00
fact-based, more objective.
00:00
Big difference between identification and assessment;
00:00
identification is where we determine what our risks are.
00:00
Again, now we're focused on value.
00:00
Now that value can come in
00:00
two different flavors, qualitative analysis.
00:00
This is usually our starting point.
00:00
You're doing qualitative analysis when you're
00:00
using words like low, medium, high.
00:00
How much of a chance is there
00:00
it's going to rain this weekend?
00:00
Well, there's medium chance.
00:00
That's a qualitative analysis.
00:00
The thing about a qualitative analysis is
00:00
it doesn't require research.
00:00
It really is more based on gut feeling.
00:00
It's based on experience,
00:00
which is one of the reasons that it's
00:00
so important that when we're seeking
00:00
qualitative analysis we have experienced
00:00
subject matter experts because I can
00:00
only tell you what I've seen based on my experience.
00:00
It's subjective based on what I've been exposed to.
00:00
We want to make sure that we have
00:00
a risk team that's cross-functional;
00:00
a team that can address risk
00:00
that have seen hardware issues,
00:00
software issues, environmental issues,
00:00
business-related issues, value related issues.
00:00
We don't just want somebody with
00:00
very narrow limited exposure because the
00:00
more balanced our risk team
00:00
is the better our analysis will be.
00:00
The qualitative analysis job is to help me
00:00
prioritize risk-based on probability and impact,
00:00
but again at a very subjective level.
00:00
This is a quick way to prioritize
00:00
these risks to determine where my focus will go first.
00:00
One of the ways that we conduct
00:00
a qualitative analysis with
00:00
our subject matter experts is we
00:00
may use something called the Delphi technique.
00:00
The Delphi technique means we're going to
00:00
allow them to input data anonymously.
00:00
Just associate anonymous input with the Delphi technique.
00:00
If I hand out surveys,
00:00
I'm more likely to get honest feedback if
00:00
people don't have to attach their name to the survey.
00:00
That's the Delphi technique.
00:00
Now, once we've prioritized our risks,
00:00
now we want to think about getting
00:00
a dollar value for the risk.
00:00
Now, you can always get a dollar value for all risks.
00:00
Quite honestly,
00:00
quantitative assessment isn't always dollar value,
00:00
but most of the time it is.
00:00
Tell me in dollars what I'm going to
00:00
lose a star on this risk because
00:00
only then can I tell you in dollars
00:00
how much money I want to spend to mitigate the risk.
00:00
The whole purpose of this risk assessment is to
00:00
determine what my risk result
00:00
should be or risk response rather should be.
00:00
With quantitative, this is
00:00
going to be based on empirical data.
00:00
You have to do your research.
00:00
I need to know not that
00:00
it's probably going to rain this weekend,
00:00
but I need to know based on historical evidence
00:00
this week for the past 10 years
00:00
it's rained 80 percent of the time.
00:00
Tell me about the barometric pressure.
00:00
Tell me about all those details that really can give
00:00
me a more detailed perspective
00:00
and a greater understanding based on,
00:00
again, probability and impact.
00:00
It takes longer to get quantitative information but
00:00
it's easier to use
00:00
that quantitative analysis in a business environment.
00:00
Now, with qualitative assessments,
00:00
a lot of times we use what we
00:00
see here is called the heat map.
00:00
This is a probability and impact matrix with the idea
00:00
of let's give our qualitative terms a numeric value.
00:00
We'll just say, on a scale of 1-5,
00:00
how likely is this event happen and what's the impact?
00:00
Probability and impact.
00:00
You could tie that to likelihood and severity as well.
00:00
What we can see in this is
00:00
that those issues that are in red,
00:00
those are going to be those risk items that we
00:00
have to have an active risk response.
00:00
We get to mitigate the loss potentials too high.
00:00
Now, in the green areas,
00:00
we might be more willing to accept
00:00
those risks because they're lower.
00:00
Now, this is going to be unique to
00:00
your organization how you prioritize risks,
00:00
but then if I look at a risk and say
00:00
a denial of service attack has a high likelihood,
00:00
so that's at four,
00:00
it would have a very high impact.
00:00
That gives me a risk score of 20.
00:00
That might go in my risk register as
00:00
well because that risk score
00:00
could then be used to help me
00:00
figure out how to prioritize.
00:00
Now, with quantitative analysis,
00:00
there's a lot more experience
00:00
required because like I said,
00:00
we need the facts.
00:00
I want historical information.
00:00
Maybe I want results from
00:00
the incident response team
00:00
and perhaps lessons learned and other documentation.
00:00
I want to consult insurance companies perhaps.
00:00
I'm really going out and I'm doing
00:00
my due diligence so that I can base decisions
00:00
on fact because what I ultimately want to
00:00
do is to be able to justify a particular risk response.
00:00
Now, there's some formulas
00:00
associated with quantitative analysis.
00:00
Word on the street is,
00:00
they're not asking you to use these formulas.
00:00
You're not going to have to memorize
00:00
that asset value times exposure factor
00:00
equals single loss expectancy whatever,
00:00
but what you will need to know
00:00
is what each of these mean.
00:00
You don't even have to memorize
00:00
EF means exposure factor,
00:00
but you do need to know what it means.
00:00
For instance, with asset value is where we always start.
00:00
What's the asset worth?
00:00
Exposure factor.
00:00
What's the impact if this risk event materializes?
00:00
How much of the asset am I going to lose?
00:00
Now, if I have a $300,000
00:00
asset and I lose 50 percent of it,
00:00
well, then that's $150,000 loss.
00:00
That's the single loss expectancy.
00:00
How much am I going to lose
00:00
every time this risk event materializes?
00:00
Now, I may have
00:00
very large or very small single loss expectancy,
00:00
but really to put it in context,
00:00
I need to think about it,
00:00
how often does this loss happen?
00:00
That's where annual rate of
00:00
occurrence that's the probability.
00:00
How often per year does this threat materialize?
00:00
If I have a single loss expectancy of
00:00
$150,000 but that only happens once every 1,000 years,
00:00
that's not a huge impact,
00:00
but if I'm going to lose $150,000 three times a year,
00:00
three times being the annual rate of occurrence,
00:00
well, that's almost $1/2 million loss.
00:00
That certainly would be a concern.
00:00
Single loss expectancy in annual rate of occurrence
00:00
give me the annual loss expectancy, the ALE.
00:00
That tells me how much each year I expect to lose.
00:00
Now, when we're determining
00:00
control we're going to look at
00:00
that annual loss expectancy
00:00
and the annual cost of the control and figure out,
00:00
can we get a control,
00:00
a solution that gives us a positive return on investment?
00:00
If I was losing $450,000 a year and
00:00
I implement this control and I'm only
00:00
losing $100,000 per year,
00:00
well, depending on the cost of
00:00
the control that sounds pretty cost-effective.
00:00
We want a good return on investment.
00:00
Would I spend?
00:00
Needs to be less than what value I receive.
00:00
Also, don't forget,
00:00
when you're looking at controls,
00:00
you have to consider the total cost of owning a control.
00:00
I may buy an anti-malware package,
00:00
but I have to make sure as well that
00:00
I consider as part of the cost updates and yearly fee,
00:00
subscription fees, that sort of thing,
00:00
because often controls don't
00:00
just come with a one-time cost.
00:00
Then, again, that'll
00:00
play into the return on investment as well.
00:00
Now, this shows the quick shot.
00:00
You can do a screen grab of
00:00
this for technically how we go
00:00
about determining the value
00:00
of control or the return on investment,
00:00
but I don't want you worrying about that for the exam.
00:00
You will not need to plug in these figures.
00:00
But again, it's just good information to have.
00:00
With your steps,
00:00
start with asset value.
00:00
Look at potential for loss being probability and impact.
00:00
Exposure factor is impact.
00:00
Figure out what you're going to lose
00:00
each time this event happens.
00:00
Figure out the ARO,
00:00
which is how many times a year it'll happen.
00:00
Get your ALE, annualized loss expectancy.
00:00
Again, one last time that
00:00
will drive your choice of countermeasure.
00:00
How much money I'm going to lose is going to
00:00
dictate how much money I'll spend to mitigate the risks.
00:00
This section, we looked at the importance
00:00
of assessment of risks getting a value for our risks.
00:00
We looked at both qualitative and quantitative analysis.
00:00
Then I also showed you some of the formulas.
00:00
I wouldn't worry about the formulas,
00:00
but I would certainly be concerned
00:00
and make sure I know the quantitative terms.
Up Next
Similar Content
