Risk Management Lifecycle: Risk Assessment
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> For our second step of the Risk Management Lifecycle,
00:00
we're going to be looking at risk assessment.
00:00
Risk assessment is all about
00:00
figuring out a value for the risk.
00:00
What do we stand to lose?
00:00
Because I can't appropriately choose
00:00
a mitigation strategy until
00:00
I understand the value of the risk.
00:00
In risk assessment, we can look at
00:00
both qualitative and quantitative analysis.
00:00
Both of them are concerned with getting a value.
00:00
It's just that a qualitative analysis
00:00
is more subjective in nature and
00:00
a quantitative analysis is
00:00
more fact-based, more objective.
00:00
Big difference between identification and assessment,
00:00
identification is where
00:00
>> we determine what our risks are.
00:00
>> Again, now, we're focused on value.
00:00
Now that value can come in
00:00
two different flavors, qualitative analysis.
00:00
This is usually our starting point and you're doing
00:00
qualitative analysis when you're using
00:00
words like low, medium, high.
00:00
How much of a chances is there it's
00:00
going to rain this weekend?
00:00
There's medium chance.
00:00
That's a qualitative analysis.
00:00
The thing about a qualitative analysis
00:00
is it doesn't require research.
00:00
It really is more based on gut feeling.
00:00
It's based on experience,
00:00
which is one of the reasons that it's so
00:00
important that when we're seeking qualitative analysis,
00:00
we have experienced subject matter experts
00:00
because I can only tell you what
00:00
I've seen based on my experience.
00:00
It's subjective based on what I've been exposed to.
00:00
We want to make sure that we have
00:00
a risk team that's cross-functional.
00:00
A team that can address risks
00:00
that have seen hardware issues,
00:00
software issues, environmental issues,
00:00
business-related issues, value-related issues.
00:00
We don't just want somebody with very narrow,
00:00
limited exposure because the
00:00
more balanced our risk team is,
00:00
the better our analysis will be.
00:00
The qualitative analysis job is
00:00
to help me prioritize risk
00:00
based on probability and
00:00
impact at a very subjective level.
00:00
This is a quick way to prioritize
00:00
these risks to determine where my focus will go first.
00:00
One of the ways that we conduct
00:00
a qualitative analysis with
00:00
our subject matter experts is we
00:00
may use something called the Delphi technique.
00:00
The Delphi technique means we're going to
00:00
allow them to input data anonymously,
00:00
just associate anonymous input
00:00
>> with the Delphi technique.
00:00
>> If I hand out surveys,
00:00
I'm more likely to get honest feedback if
00:00
people don't have to attach their name to the survey.
00:00
That's the Delphi technique.
00:00
Now once we've prioritized our risks,
00:00
now we want to think about getting
00:00
a dollar value for the risk.
00:00
Now you can't always get
00:00
a dollar value for all risks and quite honestly,
00:00
quantitative assessment isn't always
00:00
dollar value but most of the time it is.
00:00
Tell me in dollars what I'm going to
00:00
lose based on this risk because
00:00
only then can I tell you in dollars
00:00
how much money I want to spend to mitigate the risk.
00:00
The whole purpose of this risk assessment is to
00:00
determine what my risk results
00:00
should be or risk response rather should be.
00:00
With quantitative, this is
00:00
going to be based on empirical data.
00:00
You have to do your research.
00:00
I need to know not that
00:00
it's probably going to rain this weekend,
00:00
but I need to know based on historical evidence
00:00
this week for the past 10 years
00:00
it's rained 80 percent of the time,
00:00
tell me about the barometric pressure,
00:00
tell me about all those details that really can give
00:00
me a more detailed perspective
00:00
and a greater understanding based on,
00:00
again, probability and impact.
00:00
It takes longer to get quantitative information,
00:00
but it's easier to use
00:00
that quantitative analysis in a business environment.
00:00
With qualitative assessments, a lot of times we use
00:00
>> what we see here is called the heat map.
00:00
>> This is a probability and impact matrix with the idea
00:00
of let's give our qualitative terms a numeric value.
00:00
We'll just say, on a scale of 1-5,
00:00
how likely is this event to happen and
00:00
>> what's the impact.
00:00
>> Probability and impact.
00:00
You could tie that to likelihood and severity as well.
00:00
What we can see on this is
00:00
that those issues that are in red,
00:00
those are going to be those risk items that we
00:00
have to have an active risk response.
00:00
We got to mitigate,
00:00
the loss potential's too high.
00:00
Now in the green areas,
00:00
we might be more willing to accept
00:00
those risks because they're lower.
00:00
Now, this is going to be unique to your organization,
00:00
how you prioritize risk.
00:00
If I look at a risk and say,
00:00
a denial of service attack
00:00
has a high likelihood, that's at four.
00:00
It would have a very high impact.
00:00
That gives me a risk score of 20.
00:00
That might go in my risk register as well,
00:00
because that risk score could then be used to
00:00
help me figure out how to prioritize.
00:00
Now with quantitative analysis,
00:00
there's a lot more experience
00:00
required because like I said,
00:00
we need the facts.
00:00
I want historical information.
00:00
Maybe I want results from the incident response team,
00:00
and perhaps lessons learned and other documentation,
00:00
I want to consult insurance companies perhaps.
00:00
I'm really going out and I'm doing
00:00
my due diligence so that I can base decisions on fact.
00:00
What I ultimately want to do is to be able to
00:00
justify a particular risk response.
00:00
Now there are some formulas
00:00
associated with quantitative analysis.
00:00
Word on the street is,
00:00
they're not asking you to use
00:00
these formulas so you're not going to have to
00:00
memorize that asset value times exposure factor
00:00
equals single loss expectancy, whatever.
00:00
What you will need to know is what each of these mean.
00:00
Now, ISC square has stopped
00:00
using acronyms alone on the exam.
00:00
That is a happy thing.
00:00
You don't even have to memorize
00:00
>> EF means exposure factor,
00:00
>> but you do need to know what it means.
00:00
For instance, with asset value,
00:00
it's where we always start.
00:00
What's the asset worth?
00:00
Exposure factor.
00:00
What's the impact if this risk event materializes?
00:00
How much of the asset am I going to lose?
00:00
Now, if I have a $300,000
00:00
asset and I lose 50 percent of it,
00:00
then that's a $150,000 loss.
00:00
That's the single loss expectancy.
00:00
How much am I going to lose
00:00
every time this risk event materializes?
00:00
Now, I may have very large or very small
00:00
single loss expectancy but really to put it in context,
00:00
I need to think about it how often
00:00
>> does this loss happen?
00:00
>> That's where annual rate of
00:00
occurrence, that's the probability.
00:00
How often per year does this threat materialize?
00:00
If I have a single loss expectancy of a $150,000,
00:00
but that only happens once every 1,000 years.
00:00
That's not a huge impact.
00:00
But if I'm going to lose a $150,000 three times a year,
00:00
three times being an annual rate of occurrence.
00:00
That's almost half a million dollar loss.
00:00
That certainly would be a concern.
00:00
Single loss expectancy in annual rate of occurrence
00:00
give me the annual loss expectancy, the ALE.
00:00
That tells me how much each year I expect to lose.
00:00
Now when we're determining control,
00:00
we're going to look at that annual loss expectancy
00:00
and the annual cost of the control and figure out,
00:00
can we get a control,
00:00
a solution that gives us
00:00
>> a positive return on investment?
00:00
>> If I was losing $450,000 a year,
00:00
and I implement this control and I'm only losing a
00:00
$100,000 for a year depending on the cost of control,
00:00
that sounds pretty cost effective.
00:00
We want a good return on investment.
00:00
What I spend needs to be less than
00:00
>> what value I receive.
00:00
>> Don't forget when you're looking at controls,
00:00
you have to consider the
00:00
>> total cost of owning a control.
00:00
>> I may buy an anti-malware package,
00:00
but I have to make sure as well that
00:00
I consider as part of the cost,
00:00
updates and yearly fee, subscription fees,
00:00
that thing because often
00:00
controls don't just come with a one-time cost.
00:00
That will play into the return on investment as well.
00:00
Now this is just a quick shot.
00:00
You can do a screen grab of this
00:00
for technically how we go about
00:00
determining the value of control or the return on
00:00
investment but I don't want
00:00
you worrying about that for the exam,
00:00
you will not need to plug in these figures.
00:00
It's just good information to have.
00:00
With your steps, start with asset value.
00:00
Look at potential for loss
00:00
>> being probability and impact.
00:00
>> Exposure factor is impact.
00:00
Figure out what you're going to lose
00:00
each time this event happens.
00:00
Figure out the ARO,
00:00
which is how many times a year it'll happen.
00:00
Get your ALE,
00:00
annual loss expectancy and again, one last time,
00:00
that will drive your choice of countermeasure.
00:00
How much money I'm going to lose is going to
00:00
dictate how much money I'll spend to mitigate the risk.
00:00
This section, we looked at
00:00
the importance of assessment of risks,
00:00
getting a value for our risk.
00:00
We looked at both qualitative and
00:00
>> quantitative analysis.
00:00
>> Then I also showed you some of the formulas.
00:00
I wouldn't worry about the formulas,
00:00
but I would certainly be concerned
00:00
and make sure I know the quantitative terms.
Up Next
Instructed By
Similar Content
