Time
10 hours 28 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson focuses on risk management, which is an umbrella term to describe anything that's being done in relation to risk. This lessons discusses:

  • Risk assessment
  • Risk analysis: qualitative and quantitative
  • Risk mitigation: reduce, accept, transfer

The most important part of risk management is identifying the risk and how to mitigate that risk using qualitative and quantitative analysis methods. It is important to keep a paper trail documenting the decision made when handling a risk to show responsibility and caution. Business continuity and disaster recovery planning are the safety net under risk management; these are in place for events that are low probability but high impact (i.e., a flood wiping out resources in a building). These allow for a smooth transition to allow a business to keep moving forward.

Video Transcription

00:04
what we're doing. We got about risk management risk management's kind of an umbrella term, and that's an umbrella term that essentially anything you're doing in relation to risk if you're talking about risk. If you're planning thio, reduce risk. If you're figuring out how much the risk potential is
00:21
that all falls under the category of risk management, that's all part of risk management.
00:26
But you could break risk management down into three separate categories. Risk assessment, risk analysis in risk mitigation.
00:35
So when we talk about risk assessment and that's always our first step,
00:39
you always start with identifying and evaluating your assets. First piece. What am I protecting and what are they worth to me? Risk management will always begin with that step, because if I don't know what I'm protecting, if I don't know what it's worth, I won't know how much to spend. I won't know what the appropriate solutions are.
00:58
The most important part of risk management
01:02
is identifying your assets and then figuring out what they're worth,
01:06
because it's not gonna make any sense. If I I used the example of talking about my laptop computer earlier being, uh, I could sell this computer today on Craigslist and get 500 bucks for
01:17
if I make the mistake. And I think that's the only value of the computer
01:21
that I'm not gonna spend $600 to protect a $500 asset that doesn't make sense.
01:26
But we're the real value of that laptop again comes from
01:30
what's on it. What's the data? How long did it take me to create what's it's worth? Woods. It's sensitivity. Is there damage to my company? If it gets compromised? Does it have value to my competitors and my subject to a hip of violation? A hip, A fine. If that gets compromised, will. If I have the potential to be fined $10,000
01:51
for access to data on this laptop
01:53
that laptops all of a sudden worth more than just $500 to me,
01:57
right. If that data gets compromised, I got a $10,000 fine that sends the value of the assets skyrocketing. So if we don't make a proper identification of our assets, if we don't truly understand what we're protecting and how valuable they are, it will lead us to make poor decisions. Okay,
02:16
so you have to start with evaluating your assets,
02:20
and you have to remember that assets have more value than just the hardware that makes them up.
02:25
Okay,
02:27
now, from there, we do risk analysis, give me a value for the risk. I'm having a company picnic in three weeks, okay? And if you think about what are some things that might harm that company picnic? And when I ask a class full of students, usually the first answer I get is whether whether it's gonna be a problem.
02:46
Well, currently it is November 12th. I believe that I'm doing this video.
02:51
So if I'm planning a company picnic in three weeks, that puts me about December 1st in the Maryland area. So I think weather is probably a pretty high value risk. Okay, I think I should really think about weather is being a problem for my picnic. That's qualitative analysis. When we use words like probably,
03:09
it's very likely
03:12
there's a high chance that that's all qualitative analysis and qualitative analysis is very valuable, because what it does is it helps me brainstorm potential threats, and it helps me assign a value based on the probability and the impact. Okay, so when I say
03:30
there's a high likelihood that weather is gonna be a problem,
03:32
and if we have bad weather, it's gonna ruin my picnic. I've just done qualitative analysis, and that's very valuable. That says, OK, I've got a certain amount of risks I can address. You better think of weather.
03:44
However, What qualitative analysis does not tell me is how much money to spend on mitigating that risk.
03:53
Do I spend $50 to spend 5000? What I spend
03:57
well, there's nothing about qualitative analysis that gives you those tangible facts qualitative, this subjective. It's gut feeling. It's the kind of thing that makes you grabbed for an umbrella in the morning when you leave the house.
04:09
But if you wanted to be more diligent, what you could do is you could go get a weather forecast and find out there's an 80% chance of rain. That's quantitative analysis. And with my picnic, if that's what I'm addressing, if that's the risk, I'm thinking about the possibility of weather. If I do research and I find out I've got $10,000
04:28
invested in this company picnic,
04:30
I go back and look for the last 10 years in the last 10 years, Every year, the first week of December, the temperature has been 40 degrees or less
04:41
a 80% of the time. There's also been rain the first week of December. Well, all of a sudden I'm looking at a $10,000 picnic.
04:49
There's an 80% chance of rain, which would ruin that $10.1000 dollar picnic. That's an $8000 loss.
04:58
So what that will drive me to do is maybe just avoid the risk altogether and not have a picnic the first week of December.
05:03
But it can also lead me to say, Well, if there's an $8000 potential for loss, maybe I'll spend $1000 move the picnic inside,
05:14
make it a company event rather than necessarily a picnic. And I know that's a little bit of a silly explanation, but that kind of gets you the understanding of what qualitative is versus quantitative.
05:25
So if you want to do qualitative analysis from a network perspective, think for just a minute about some of the things that are gonna harm your network, and I know many of your network technicians, network engineers, you know when you first think about protecting your network. Where do you think of threats coming from?
05:45
What are things that are gonna make your network go down tomorrow if you don't put strategies in place?
05:50
You know, for me, I think about hardware failure. I think about user error. I think about malicious activity. I think about failure of links to my Internet service provider. I think about temperature in the server room. You know, I think about all of those things. And what I'm doing is qualitative analysis.
06:08
I'm brainstorming. I'm getting some ideas down on paper of things to consider.
06:13
How much money do I spend to mitigate those risks? That's where I go to quantitative.
06:18
Give me a dollar amount for my asset. Tell me the likelihood of the loss and that gives me a dollar amount for quantitative. They're both about value. Qualitative. The subjective quantitative is objective.
06:33
Okay. Fact based so sort of a conceptual idea.
06:39
Um, the asset value for quantitative analysis,
06:45
times,
06:46
threats,
06:47
times vulnerabilities
06:49
equals risk.
06:51
Now, this isn't something that you're gonna get. Ah, a question where you have to plug values in. But from a conceptual standpoint, where do we get our risk. What's the value of our asset? What are the things that can potentially harm that asset? What are its weaknesses? And if you examine all of those together,
07:10
you get the value for quantitative analysis, you get the value of the dollar amount ideally or at least in America, mount
07:15
off the risk. Where's qualitative is much more subjective in nature
07:21
after we figured out the value of our risks. Now we have to respond to our risks and their three main risk response strategies. They're reduced, accept and transfer. So when we talk about risk rejection, I'm sorry. Not risk protection, risk reduction. What we're looking to do is lesson. Either the probability
07:42
and or the impact
07:44
lessen the probability and or the impact. I can't lessen the probability of rain, but if I move my picnic indoors, I've lessen the impact of it.
07:54
I can't, um, lesson
07:57
the possibility of an earthquake, but I can lessen the impact based on where I place my building and other mitigating strategies I put in place. I can lessen the probability of a virus attacking my network by putting any virus software on my host machines.
08:13
So we're looking to reduce risk and sometimes risk reduction and mitigation will be used interchangeably. That's okay. You know, mitigate. I usually tend to say mitigate is more of a response, a general category of response. But that's fine.
08:30
Mitigation and reduction can be used interchangeably, and they may be on the test.
08:33
So we're looking to lessen the probability and or impact.
08:39
I'm gonna skip acceptance just for one minute. I want to talk about risk transference when we talk about transferring risks, what we're looking to do is share in the loss with someone else. Insurance is the best example of risk transference. I can't lessen the possibility of a fire, but you know what I mean. I can I can.
08:58
I cannot store gasoline by the fireplace, and I could do some common sense things.
09:03
Ah, but ultimately, even by following, there's common sense things. They're still the potential for fire. So what do I do? I have fire insurance and
09:15
the fire will happen. Or it won't.
09:16
My house will be damaged or it won't. But I won't be the only one suffering loss. I'll share that loss with an insurance company
09:24
service level agreements, and this would be the testable piece. Service level agreements are a form of risk transfer DS. And when we talk about an S L A so N S L. A. Is a contract. It's binding, legally binding. And it's where a vendor guarantees me a certain degree of up time for a particular service or server system.
09:45
And what we want to keep in mind with is with that guarantee, if the system does not meet their guarantee, you know, 99.9997% up time or whatever that might be. If the server doesn't meet that up time requirement, then usually were compensated financially from the vendor. So
10:03
there's loss.
10:05
But I'm not the only one suffering the loss. The vendor gives me some sort of refund or some sort of accommodation for that. So I'm sharing in the loss with someone else. Service level agreements do just that. It's a mutually binding contract.
10:20
Other ideas, contract modification. You know, I'm waiting for a vendor to provide me with a certain degree of product. Maybe I've got 25 Dell servers I've ordered, and the vendor is always late delivering,
10:33
so I'll modify the contract that says for each day they're late, they'll refund me 1% of the total value of the contract.
10:41
That's risk transfers and all those could show up. Okay, so risk reduction risk transfer DS, remember risk transfer it, sharing in the los risk reduction. I'm gonna lesson either the probability or impact. One other thing I'll mention about risk reduction.
10:56
The ultimate risk reduction is risk avoidance. If I lessen the probability to zero
11:05
or the impact to zero, I'm avoiding the risk. Just like I said with my picnic. I look at it and I say, I can't have a picnic in December. The risks are just too great. I won't have a picnic. That's risk avoidance. And there are some times where we do choose to avoid a risk. But usually, risk avoidance has us not doing something
11:24
that is desirable. For us to do is a business,
11:28
so we don't look to avoid risks, and certainly you can avoid all risks. Occasionally you can. Maybe we're concerned about the potential for compromise on wireless networks. So we decided this point in time, we're not going to allow wireless connective ity.
11:43
You know, we're trading off a big business benefit in the favor of security, but that would be risk avoidance.
11:50
Okay,
11:50
risk, acceptance,
11:54
risk. Acceptance essentially says, I'm going to do nothing about a risk.
12:00
Why would I ever say, Hey, there's a risk, but I'm not gonna do anything about it. Well, there are some risks where to mitigate the cost would be greater than just accepting the risk.
12:11
You know, if it's gonna cost me $1000 to protect a $500 asset, I'll just accept the risk. One of the things that I always think about with risk acceptance is here in the Maryland in the D C area. We had an earthquake last year. The great earthquake actually was maybe two years ago, the great earthquake of 2012
12:31
which pretty much consisted of
12:33
the house shaking for like, six seconds, which, as an East Coast person, that was a little concerning to me. I've never been in an earthquake, and it's so funny because it was it happened. We actually had to. But it happened at 3 a.m. One morning, and I think I mentioned you guys my attack pug, the excellent guard dog.
12:52
So what? 3 a.m. I hear this huge
12:56
boom and the whole house is just shake, shake, shake, shake, shake The pug slept through the entire thing
13:03
So I'm not sure really what kind of guard pug he is. If he's gonna stand through an earthquake, he will detect a squirrel three blocks away, though. So if there's a squirrel gonna break into the house, I think I'm covered. Earthquake. No,
13:16
I ramble just a little bit. But the point of this whole thing Waas with an earthquake as a threat and that is a threat, you know, it's on my radar Now it's something I think about.
13:26
But when I look at the damage caused by the earthquake, so first of all, that was our second earthquake in 15 years. I think so. It doesn't have a high probability.
13:35
All right, Doesn't have a high probability, but it didn't have a very high impact either. I mean, it really was more of Ah, you know, by the time you had a chance to get freaked out about it, it was over. There was no damage, at least in my area. Now, something to think about. The Washington Monument was shut down for over a year as a result of the earthquake.
13:54
So what might be low impact to me
13:56
might be very high. Impact toe another business, so I can't take things for granted. I have to look at threats as they pertain to me. But as a small business owner and earthquake in the Maryland D. C area has such a low probability, and even when it has happened in the past, the impact was so low.
14:15
And then you think about what can I really do to mitigate that? Should I pick up my little business and move it into a steel reinforced building? That's a single story that's designed to withstand a seven point earthquake? That's way too expensive. I can't justify that cost. So when the cost of mitigation
14:33
is greater than the potential for loss,
14:37
you accept that risk.
14:39
All right, you just say, Well,
14:41
we may have another earthquake, but in order to mitigate it, I cannot justify that is a good business decision. Now, please understand that That's not me, Cohen.
14:52
We'll be okay.
14:52
A risk acceptance requires a thoughtful and purposeful business decision.
15:00
Risk acceptance uses due diligence.
15:05
When you've got a senior executive that you go to and say, Look, we have a tremendous potential for loss. None of our systems are protected with up to date any virus software,
15:16
the current threats that are out there today.
15:18
The potential for law succeeds $10,000
15:22
and your senior official says, Well, I can't deal with that right now. Talk to me next month. That's not risk Acceptance. That's risk rejection and risk rejection is not a valid decision. The difference between the two risk acceptance uses due diligence, risk rejection does not we always want a paper trail
15:41
for decisions we've made
15:43
right? We always want to be able to go and look. Here's the decision that I made here the facts that I used and that shows that I've been responsible and cautious
15:54
now something to think about. We can make a good business decision and accept a risk. For me is a small business owner. It was a good risk to accept that. I just say, Well, there may be an earthquake, but I can't afford to mitigate it.
16:07
My question for you is this. What happens if we do have the earthquake and what happens if that earthquake is significant
16:17
and what happens if it destroys my business or my infrastructure or in any way causes much more harm than was anticipated?
16:26
I've accepted the risk. The question I'm asking you really is. What's the safety net under risk? Acceptance? Because we've gotta have one risk acceptance ca NBI A good business decision. But what protects me
16:41
for risks? I didn't identify
16:44
for risks that were greater than anticipated.
16:47
What happens if I ensured my home? But insurance says we're not going to cover your home based on something.
16:55
The answer to that is business continuity and disaster recovery, planning,
16:59
business continuity and disaster recovery planning. Is the safety net under risk management?
17:04
As a matter of fact, a way you might think about it. Risk management is for those risks that we anticipate will happen.
17:11
Those things with the medium to high probability. Business continuity is for the low probability events that will have ah ah, high impact. I don't really believe
17:22
I'm gonna have a flood. I may not have a lot of active mitigation strategies for flood. Maybe I have insurance, but insurance is only gonna cover so much what happens and think about. Okay, I've got flood insurance. How much does insurance pay for my data? All my data gets wiped out because all my resource is air in a building that gets flooded.
17:41
How much does insurance pay for my data?
17:44
Nothing.
17:45
How do I protect my business?
17:47
What about my customer information? What about my company? Resource is what about my people? What about what? About what about disaster recovery planning? In business continuity,
17:56
They're the safety net underneath risk management. When risk management fails, business continuity picks up and ideally, would allow you a smooth transition. And your business keeps moving forward. Ah, way to think about it is every decision you make starts with risk management and every decision should
18:15
march towards business continuity.
18:18
Keep the business going no matter what.

Up Next

CompTIA CASP

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor