Risk Assessment Tools and Techniques
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Course
Difficulty
Intermediate
Video Transcription
00:00
>> Let us talk about some assessment tools and techniques.
00:00
We've talked about the fact that we
00:00
need to identify our risks and
00:00
we do that by looking
00:00
at assets, threats, vulnerabilities.
00:00
Once we know what our risks are,
00:00
then the assessment piece as we've been
00:00
talking about requires us to then
00:00
analyze which basically use
00:00
qualitative and/or quantitative analysis
00:00
to determine a risk value,
00:00
but let's talk about some of the tools that we
00:00
can use that will help us along our way.
00:00
A couple of different diagram types
00:00
or facilitation techniques that we're going to look at,
00:00
I'm going to just go ahead and jump right into
00:00
them but you can see we've got a bowtie,
00:00
decision tree, cause and effect.
00:00
I do want to stress
00:00
the importance of a business impact analysis;
00:00
we'll do it when we get there,
00:00
and then a SWOT and BCG analysis,
00:00
all kinds of tools we can use.
00:00
Let's start off with the bowtie analysis.
00:00
You can see why this is called a bowtie.
00:00
We've got five categories and right in
00:00
the middle is the risk or the hazard,
00:00
so we're going to call it the risk.
00:00
In this case, we're worried about
00:00
the potential for data corruption.
00:00
Now, data corruption can
00:00
come from a lot of different directions;
00:00
a lot of different causes,
00:00
so they've just listed three.
00:00
The possibility is a malicious insider,
00:00
accidental compromise,
00:00
malicious external user,
00:00
and there would be others: unreliable links,
00:00
interference package dropped at route.
00:00
There are all sorts of potential causes,
00:00
but let's look at these three.
00:00
We've got our data corruption in the middle and we
00:00
spin off of that to give us the bowtie look,
00:00
but you'll notice that the lines
00:00
connecting data corruption to their causes
00:00
under the category of
00:00
control measures that's where
00:00
we documents some mitigating strategies.
00:00
Notice the mitigation is proactive on this side.
00:00
We have reactive on
00:00
the right side and then the consequences.
00:00
Consequences are impact,
00:00
the consequences equal impact.
00:00
This is great to use when you're conducting
00:00
your risk meetings, your brainstorming,
00:00
your looking for risk scenarios to play out,
00:00
maybe you're not thinking of the causes,
00:00
or the consequences,
00:00
or the various measures.
00:00
This is a great way to bring your team together
00:00
and look at risks and then brainstorm off of this,
00:00
and that's really what a lot of
00:00
these tools are going to be used for.
00:00
Decision tree analysis for
00:00
expected monetary value of risk.
00:00
We've already talked about
00:00
this idea of expected monetary value,
00:00
and we talked about it back in
00:00
the quantitative analysis piece.
00:00
This is using a decision tree so that we can get the EMV.
00:00
Now I want to remind you that expected monetary value;
00:00
EMV, is a risk value.
00:00
When I say I have an EMV of $51,500,
00:00
that's the risk associated
00:00
with activity or with endeavor A.
00:00
B's expected monetary value is 26,000.
00:00
C's expected monetary value is actually saving money,
00:00
it looks like going with a description or
00:00
opportunity C is going to save me $600.
00:00
We take the expected monetary value
00:00
and we look at that in relation
00:00
to the costs of the contract.
00:00
If you look at contract A it looks like
00:00
contract A is only going to cost us
00:00
$100,000, that's great.
00:00
I'm going with contract A,
00:00
it's cheaper than the others.
00:00
Not so fast,
00:00
we have to look at the value of risk associated.
00:00
If I add the EMV to
00:00
the cost already associated
00:00
with doing business with vendor A,
00:00
now I've got $151,500 that I'm likely to be paying them.
00:00
I'm not going into this because we did talk about it
00:00
with qualitative and quantitative analysis,
00:00
what this decision tree does is it takes
00:00
probability times impact of certain types of risks.
00:00
If we look up at vendor A,
00:00
there's a 70 percent chance that
00:00
a negative event is going to happen costing $56,000.
00:00
There's a 30 percent chance something good is
00:00
going to happen where we save this 15,000.
00:00
I'm just helping you
00:00
interpret what's going on in this chart.
00:00
This really shouldn't be something
00:00
that you spend a ton of time on,
00:00
it just wants you to understand what we're looking at.
00:00
We're looking at the cost of
00:00
the contract and then the risks
00:00
associated with that particular vendor.
00:00
If you look at the expected monetary value
00:00
of all the risks,
00:00
we're actually going to do better
00:00
doing business with vendor C
00:00
because vendor C even though
00:00
they bid highest for the contract,
00:00
their risk is negative meaning
00:00
that we have an opportunity to gain some money;
00:00
just 600 bucks, but the other two are going to have
00:00
contracts over $150,000 by the time we factor in risk.
00:00
Seeing this is a great graphic to help us
00:00
visualize and help us
00:00
look at the choices we have in relation to risk.
00:00
Another tool that's really good with brainstorming,
00:00
with facilitation of discussions,
00:00
is cause-and-effect diagram.
00:00
It's also called either a fishbone and you can see
00:00
why the fishbone we see the backbone running through,
00:00
and it can also be called an Ishikawa diagram.
00:00
You could hear it called any of those.
00:00
I'll tell you the truth, in my head
00:00
I call it a fisherkawa.
00:00
That way I can remember
00:00
that the Ishikawa is the fishbone,
00:00
and then if I picture the fishbone it
00:00
makes sense that it's cause and effect.
00:00
This is a great tool to
00:00
get to the root cause of the problem.
00:00
It's very easy to say, "Hey,
00:00
we've got the threat of defects in
00:00
our application," okay fair enough,
00:00
"But let's go a little deeper."
00:00
What's going to cause those defects? User error.
00:00
Sure.
00:00
The user not knowing how to use the software or the user
00:00
having misconceptions or perceptions that are inaccurate.
00:00
In our group we look at each defect,
00:00
we talk about some root causes,
00:00
and then we go even deeper.
00:00
It's easy to say user error.
00:00
Well, what types of user error?
00:00
This is good to get to the root of the problem.
00:00
As a matter of fact, they always associate this
00:00
with root cause analysis.
00:00
Now the SWOT.
00:00
Strengths,
00:00
weaknesses, opportunities, and threats.
00:00
This is excellent to use at
00:00
the beginning of projects when we're trying to
00:00
do some high-level risk management
00:00
and ultimately what we're
00:00
trying to do is just figure out,
00:00
is this a good project for us?
00:00
Can we be successful? I don't know.
00:00
Let's sit down, let's put pen to paper,
00:00
and let's figure out what
00:00
our strengths are as an organization.
00:00
Here's what we do well.
00:00
We have highly skilled technical team,
00:00
we have deep resources,
00:00
we have certified processes in place;
00:00
those are our strengths,
00:00
but now what are our weaknesses?
00:00
Well, even though we're skilled
00:00
in most technical realms,
00:00
maybe we don't have a huge depth
00:00
of experience in software development.
00:00
What are the opportunities?
00:00
Sometimes you'll hear people define
00:00
opportunities as positive risks.
00:00
I don't want you to think of that
00:00
for this class because in
00:00
this class risks are always going to be negative,
00:00
but in a lot of project management areas
00:00
risks can be positive or negative.
00:00
If we're trying to
00:00
estimate costs associated with the project,
00:00
we just can't look at all the bad things that could
00:00
happen because then our estimates are going to be skewed.
00:00
We also want to consider opportunities.
00:00
Opportunities, how would this project help us?
00:00
Maybe it will help us increase our market share,
00:00
it will enable business processes,
00:00
and then of course the threats, what could go wrong.
00:00
The idea is for risk analysis,
00:00
for determination of what projects I'm going to take on,
00:00
where I'm going to direct my money, my time,
00:00
my efforts, a SWOT analysis is a great tool.
00:00
The SWOT analysis goes with
00:00
the BCG matrix which came to us from
00:00
Boston Consulting Group and ultimately what this does is
00:00
this allows us to look at
00:00
our portfolio and look at the endeavors,
00:00
the projects, the programs we've invested in,
00:00
and to try to get a sense of how to move forward.
00:00
There are some projects that we're going to drop,
00:00
there are some that we're going to let sit on hold,
00:00
there some that were going to invest a lot more money on.
00:00
You don't need to memorize this for the exam,
00:00
but you can see that if we look
00:00
at this we're looking at it based on risk.
00:00
What's their growth rate in the market?
00:00
Do we have a market share,
00:00
a high market share in relation to
00:00
this particular project process.
00:00
Whatever that we own in relation to this chart.
00:00
You don't need to memorize star, question mark,
00:00
cash cow, or dog. I love those terms.
00:00
I do dislike the fact that the dog is
00:00
a negative place to be in your portfolio.
00:00
That poor sad dog just looks so unhappy, but man,
00:00
the cash cow over here on the left,
00:00
that cow is rolling in money.
00:00
That's as happy a cow you're going to see,
00:00
but ultimately what they help you do is look,
00:00
how do we categorize our projects and
00:00
programs in relation to these four categories?
00:00
That will help us figure out how to move forward.
Up Next
Cost-Benefit Analysis and ROI
Risk Response and Reporting Overview
Risk Action Plan
Risk Acceptance
Risk Mitigation
Instructed By
Similar Content
