all right, So the value of quantitative analysis is that it allows us to make a good business decision when we're talking about quantitative analysis there, a couple of terms that you'll want to be able to use that you want to be familiar with. And of course, we've already said risk management always starts identify. Evaluate your assets.
I want a dollar value for what my assets are worth.
Don't forget, this could be very, very difficult, because it's not just a matter of me saying, Well, I could get $200 if I sell this laptop today, remember,
value of assets comes from a lot of different places, not to mention things like reputation, company reputation. How difficult is it to put a dollar value on the reputation of companies? You know, some. There's some companies that when you say their name, you just immediately think quality. And then there are also certain other companies
that when you say their name, you immediately think that's a cheap product. It's not reliable. It's not a good product.
It's very difficult to put a dollar amount on that.
I also think in the realm of security breaches, and here in the news recently. We've seen Home Depot get compromised. We've seen Target get compromised. We've seen Bank of America, T. J. Maxx on and on and on and on. You know. How much does a security compromise hurt? A company?
Well, if you look a target and if if you follow that at all, Over 70 million credit cards
were compromised through the breach at Target.
What was the dollar amount that was worth? Well, their stocks dropped. Uh, what was it? 16% in the quarter immediately following the breach. So that can maybe give you some idea about that. Um,
it's tough to put a dollar amount always on the value of the asset. But you've got to do the best you can,
then probability and impact of risks. That's what risks are all all about. How likely is it toe happen? If it does happen, how bad will it hurt us? So when we're doing some of these formulas and we'll look at just quick formula in just a few minutes, we look at probability as being expressed through something called the a R O.
The annual rate of occurrence,
which is exactly what it sounds like how often per year with this threat event materialize.
How likely is it that happened per year?
Now, if it does happen, what does it cost us? That's the exposure factor often abbreviated with e f
exposure factor. How much of the asset will I lose if this threat materializes?
Okay, so we use thes pieces of information because what I want to figure out is okay, what's the total amount I lose every time this event happens? And then what does that come out to? Yearly.
Single loss expectancy. Every time the threat materializes, what does it cost me?
Annual loss expectancy. What does that wind up costing me per year.
So if we were to take a look at maybe something like data loss due to malicious activity,
okay. And let's say that we have assessed the value of our data. Ah, let's say we've taken all these things into consideration. And for the test, it's not our responsibility to come up with the number as in they're not gonna give you dad and say, What dollar value is it worth? That's a very, very complex process.
What they're gonna do is they're going to say your network resource is has been valued at $50,000. That's the asset value, $50,000. And let's say that
when we think about malicious activity, we generally, um,
could suffer a loss up to 60%
of our network. Resource is,
that would be the exposure factor. So what that means is,
every time this threat materializes, we lose 60% of our asset value. $50,000.
Hey, how often does it happen? That's annual rate of occurrence. So we might say this event happens two times per year. So ah, if we look at single loss expectancy,
single loss expectancy is asset value, times exposure factor. So we have, ah, 60%
percent loss of a $50,000 asset. What does that give us? $30,000.
That's our single loss expectancy.
If we lose $30,000 twice per year than R A, L E
Now, I'm just going through this very quick. These air fairly straightforward there. I doubt that they'll even ask you to do a lot of math on this. I think they're just gonna ask, You know what these formulas would be? What's the correct formula for single loss expectancy, annual loss expectancy. Or they might give you a quick, easy scenario that you have to calculate out.
But ultimately what I'm trying to figure out is, what's my potential for loss?
Therefore, how much money should I spend? That's the whole purpose. So if I find that right now, I'm losing $60,000 per year
and you could give me a solution that cost me $10,000 per year.
That'll keep me from losing 60 per year. That suddenly sounds very good. So I just wanted to go over these formulas. They're not gonna have a lot of math on this exam. They're not really gonna ask you to do a whole lot along these lines. But just to get the premise of quantitative analysis what your assets were,
what are the threats?
What is the probability of the threat materializing? What is its impact? What will it cost me? Per single instance. What will it cost me annually and then take that figure out a control that's cost effective and make your decisions? So, really, that is the heart and soul of quantitative
risk analysis. Okay.
Again, the magnitude of impact and the likelihood we often talk about risks in relation to probability and impact. As a matter of fact, if you've ever done any sort of risk management work, those were really the two elements probability, which is the likelihood and severity or the impact.
And what those calculations that we just look at the alien, the S l E. They will help us to make a good
decision on how to mitigate and again mitigate, maybe used interchangeably with reduced. So if you see that,
think of risk reduction
right, mitigate or reduce your risks. Transfer the risk. Share that risk with someone else if you'll recall we talked about, perhaps insurance, but certainly service level agreements. Being a big strategy can mitigate risks. Avoiding risks really
are the extreme form of risk reduction, right? If I lessen the probability and or impact down to zero, I have no risks, and I've avoided them.
But watch for answers on the test or really test a real world. You really can't avoid all risks. You can't eliminate all risks. I saw product the other day while I was out shopping and it was an I T product and it said, eliminate risks associated with connecting to the Internet.
And my thought was good luck on that.
You might reduce, UM, you might mitigate. But you were not going to eliminate risks associated with connecting to the Internet unless you don't connect to the Internet. So risk elimination really is a viable option. And then we said we accept risks when the cost of mitigation is higher than the potential for loss.
So once again, there's security controls associated with risks.