Understanding Risk Assessment Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

35 hours 10 minutes
Video Transcription
Hello and welcome back to Cy Berries Cop T A certified van Security practice. Nous certification preparation course.
This is a continuation of Murder One, which is titled Risk Management.
He had objectives which encompasses this particular Barger.
Let's not turn our teacher or folks don't discuss enough understanding risk assessment.
This is Section three of this particular module.
Here again are the objectives which encompasses this particular section. We could begin by first discussing the importance of conducting risk assessment
metric definition.
Well, do we imagine to get the metrics. Key indicators.
Bench mall purchase, baselines. Analyzing security solutions,
Qualitative versus quantitative Risk Assessment task and the Liberals Minute for your risk assessment. Best practices for performing your risk assessment and, lastly, annualized loss expectancy and single loss expectancy.
So that further do. Let's take a look at a pre assessment course tin, and the question is as models. Which of the following steps in conducting a risk assessment should be performed first, just a Identify your business assets or be identify your enterprise risk
or c assess your vulnerabilities or lastly,
evaluate your key controls.
The correct response would have been a first of all. Identify your business assets.
This brings us to the topic of what is risk assessment. Now when you look at this assessment is a key step in your risk management process. As we mentioned earlier, risk management is actually four looking. It's anticipating it's all about planning it. Also, this, in this case
re successful, involved the termination of quantitative or qualitative value of your risk.
It looks that conduct is conducted for concrete situations and recognize threats. It's used to help identify what safeguards to implement. It's also acquired for valuing your risk or controls and often conducted at the implementation of a control.
When we look at the Metrix, Metrix should be should be mounted consistently and dishes Metro should be analyzed soon after their collected and see if there's any adjustment need to be made proper Metric creation collection
and the house will allow an organization to project future nies where before a problem arises.
Security Metro's provide information on both short and long term trends by collecting these metrics and comparing them on a day to day basis as acute professor can determine that daily workload when the Metro's air compared over a longer period time the transit of Couric and help
shape the future security projects
as well as the budget.
So what do we measure to get the metrics? First of all, we look at the security program performance against quantifiable objectives. We look at the trends. It also involves accountability that the diligence of line business unit Amanda Woodward to protect against known risk. It looks at the change or other words, to relay ship the security program,
the benchmark How long will be doing it versus our peers
in the involved value assessment. It also looked at the security of thickness as read it by your customers. So again, this is what we look at when we do in orderto what we other words to Majin those metrics.
So this brings us to exactly what our key indicators. Nike. With indicators
as the name suggests, measure your risk. If you recall In previous presentations, we learned that a risk is a Taliban, certainly. So your key risk indicated used by organization determined how much risk they exposed to or how risky particular Vinger venue other words or activity is
your key. With indicators
they need to capture, they need to capture. For example, this celebration hi severity events. It looks at how you in terms of handling time, it looks that also assessed the attack surface areas well. So one of the first we're going to take a look. It's called a key with indicators.
It's a measured improvise and information on the level exposure to a given operational dress.
Your key rece indicators in terms of thickness or Casey eyes, he contro indicators. These are measures to provide information on the extent to which, given on show is meeting its intended objective. You keep performance in the kids off. Measure that measure performance or achievement
off targets.
Let's not turn out to George discussing other 14 step approach to the key performance indicators and the key risk indicators. The following steps must be adhere to. For example, Step one. You need to understand the business context. Stepmother To identify audience and collaborators.
Step three. Determined common interests.
Step four identified. A key information security priorities.
Step five. Design Key performance indicators. Key risk indicators. Combinations Step six Tests and confirmed to KP Eyes in the k. R. I's combination
Step seven. Gather the data
Step eight. Produce and collaborate. The key performance indicators. What is your key with indicated combinations.
Stepping I'm not interpret To keep performance indicators was key with indicated combinations to develop insights. Stepped on a 10 degree to conclusion proposals and recommendations.
Some additional step step maleva produce reports and presentations. Step number 12. Prepared to present and descriptive reports stepping with 13 present and agree on the next step. And lastly, step number 14 Developed learning an improvement plans.
Let's not take a look at benchmark versus baselines. A benchmark is a standard against which April formidable security, mutual fund or invested manage can be measured a benchmark compared to the baseline to determine whether any security and performance issues exists. Also secure. Professional
should keep in mind that margin performance
and capturing baselines and Bismarck will affect the performance of a system being monitored in project management At Baseline is a no state by which something is measured or compared. While Captain the baseline is important, using the baseline to assess the security state is just as important.
Even the most comprehensive based on are useless if they are never used.
We also had to look at good metrics are smart. Now this acronym stands for they must be specific. If you're looking at metrics, they must also be magical.
They must be attainable.
They must be repeatable and also time dependent.
Now fourth, analyzing security solutions that primary Ministry that you need to understand, obviously 44 is a certified event. Security practice exam. Ah, performance, Landsea, scalability, capability, usability, maintain ability, availability. Recover ability. And I, well, ask cost benefit analysis.
So we're looking. Performance is the manner in which,
or the efficiency with which ate advice or technology reacts over fields is intended purpose. Macy is the delay typically incurred in the processing of your network Data.
Scared ability is a characteristic of device or security solution that describes the capability to cope and perform on the increase or spend it. Workload capability is an action
that the solution a verbal form, for example, and in choosing attention system that takes intrusions weigh in and in choosing the adventures system prevents those in choosing
user Billy means making a security solution device easy to use and matching solution advice more closely to the organization needs and requirements. Continuing with analyzing our security solution, they must also involve maintain ability is often a security solution. Advice must be updated.
Availability is amount of percentage of time A computer system is available.
Recover ability is the probability that a fail security solution device can be restored to normal operation of state within a given time frame. It also involved cost benefit analysis, which is performed before deploying in a secure solution to the enterprise.
This particular type analysis compared to cause of the point a particular solution to the benefits of be gained from its deployment.
Now we look at Quantico quant quantitative as well as qualitative risk assessment. When you look at quantitative risk assessment, it calculate the absolute financial value. Losses and calls or quantitative with assessment calculates the relative value losses, as was costs. So basically, you look at quantitative.
It quantifies a possible outcome for the project
and assessed a probably achieve a specific project objectives. It provides a Quentin opposed to making decisions when there's uncertainty. On the other hand, when you look at quantitative risk analysis, it's prioritizing identified project risk. Using predefined reading scale
risk will be score based on their probability or like little of a current
and the impact on a project objectives should they occur
now, force I challenges that we face in regards to risk assessment risk assessments. Viewed as a barrier, the day to day business activities
offer town owners. They struggle with the process itself, the data interpretation to derive actual insight. It's tougher than it. Then it's made to look like,
Additionally, Whistle seven death does not always perfectly revealed the existing reality. Implementation of risk of values not come is not obscene. Most cases are not prioritized.
This brings us to risk match, and it's important to an organization. As I mentioned before, risk matches the presence of identifying, assessing, controlling and mitigating your risk threats. And more numbers are the key drivers or risk
if you were able to go through a price of systematic that didn't find the threats. Invertebrates that are relevant to your organization is an important step. You can then take action to but to reduce the potential loss from those particular types of risks.
So again, risk man to start with risk of suffering and risk analysis, you were identified. First of all, the first step is identify your assets or your organization as well as that value, who also won't identify the threats and vulnerable in other words, the witnesses that exists in these particular assets. Then you want a systematic prioritize the threats and vulnerabilities
You were identified that light in the hood,
an avuncular works be explored it by threat.
So lastly, would identify the impact of a wrist wrist would high impact opposite should be addressed
now forced the critical components of your risk assessment. First of all, you want first term in the scope of your assessment.
Now, what you wanna first, I'll have a clearly defined scope. Now, some items that fall within the scope you won't look at the view, the outlook, the application, the operation is what as the effectiveness you also makes you employ a clearly defined scope. If you don't employ clearly find school. What's gonna happen is
you would incur what we call scope creep.
You also identified boundaries of assessment. You also wanna isolate critical areas off focus.
The next Adam is the steps that you need to take on the take in regards to risk assessment. First of all, you're a select the methodology you're identified at risk manager structure, identify your assets and activity within those boundaries, identify and evaluate irrelevant threats identified, evaluated relevant bone abilities.
Identify and evaluate the counter marriages and implement what we call
your access methodology.
Doing this particular presentation, we begin the price of discussing the importance of getting in the risk assessment.
Do we define what a risk other words we'll take a look at? What? It's a metric definition.
We'll discuss what we do to measure to get the mattress to discuss. Key indicators. Benchmark versus baselines. Risk us Analyzing the very secure security solution
Qualitative versus quantitative risk assessment.
We're gonna continue on and president by taking a look at tax, and the liberals need it for your risk assessment. We're gonna discuss some best practices in next video for performing your risk assessment and lastly, annualized loss expectancy and single law suspects. You define exactly what those terms means
and our upcoming presentation we're gonna continue on, and I discussion of such a three
understanding risk assessment.
I look forward to seeing the very next video
Up Next