Understanding Risk
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Understanding risk.
00:00
The learning objectives for
00:00
this lesson are to explore risk management,
00:00
to define how to measure risk,
00:00
and to explain the ways to respond to risk.
00:00
Let's get started. Risk management.
00:00
The very basic overview of
00:00
risk management is identifying,
00:00
assessing, and mitigating vulnerabilities and threats.
00:00
An easier way to look at this is,
00:00
every organization has
00:00
something that's important to them,
00:00
they need to protect it and they want to
00:00
find out what do they have to spend to protect it.
00:00
That's basically what we're going to be
00:00
talking about through this lesson.
00:00
What is important to us?
00:00
How much is it going to cost to protect it?
00:00
What is the damage if something were to happen to it?
00:00
On top of that, every organization has
00:00
different types of risks
00:00
and they will manage that differently.
00:00
There are different things that are important to
00:00
one organization that is not important to another.
00:00
It's important that we make
00:00
sure that we've properly identified what's
00:00
important so that we can later on come up with
00:00
ways to manage the risk to those valuable assets.
00:00
But there are some common frameworks
00:00
we can use to help us with this.
00:00
The first is the NIST risk management framework.
00:00
We can also use the ISO 31,000.
00:00
We're going to discuss both of these later in the lesson.
00:00
There are five phases to
00:00
the overall risk management process.
00:00
The first is where we start with the identification
00:00
of mission-critical assets or functions.
00:00
We go around the company and making sure we've
00:00
identified everything that's important.
00:00
Now it's critical to make sure we're
00:00
asking all the right people.
00:00
I've gone into a situation with a company,
00:00
where the upper management
00:00
let us know that these things were important,
00:00
but as we dug through and
00:00
we're talking to other departments,
00:00
we had another department tell us that this
00:00
was important to them only to find out
00:00
that the upper management wasn't aware of
00:00
just how critical that was to the overall business.
00:00
You've got to make sure that you're talking to
00:00
everyone to get all of the important parts
00:00
of your company's assets or
00:00
functions to make sure that you know
00:00
what you even need to worry about for risk.
00:00
From then, we move down to
00:00
the identification of known vulnerabilities.
00:00
We have our assets or
00:00
our functions, where are they vulnerable?
00:00
If we have a building that's in
00:00
a typhoon area or a hurricane area,
00:00
and we don't have any other way of
00:00
restoring operations if something
00:00
were to happen, that's a vulnerability.
00:00
We need to make sure that we have a way
00:00
of planning for these types of vulnerabilities.
00:00
But it's critical that we
00:00
know where all the vulnerabilities
00:00
are before we can even begin addressing a plan for them.
00:00
Then we move down to the potential threats.
00:00
What are the threats to these assets?
00:00
If we're a company that's engaged in
00:00
proprietary research that will be valuable to someone,
00:00
then you can bet that corporate espionage
00:00
or hacker attacks are going to be a problem.
00:00
We need to make sure we make plans for those.
00:00
Then we move to the analysis of business impacts.
00:00
If this thing were to happen,
00:00
this thing that we're dreading,
00:00
this vulnerability has now been exploited,
00:00
how is that going to impact our business?
00:00
Once we know all of these things,
00:00
we can begin to figure out how to
00:00
identify our risk responses.
00:00
This is where we decide how
00:00
we're going to handle that risk.
00:00
How do you go about measuring risk?
00:00
Well, first we need to define some terms.
00:00
Risk is a measurement of
00:00
the impact or the consequence and
00:00
the likelihood that a threat
00:00
will exploit a vulnerability.
00:00
We need to define likelihood.
00:00
This is how realistic is the threat to occur.
00:00
Are we worried about that a meteoroid is going
00:00
to crash into our building? That's not very likely.
00:00
But again, if we're doing proprietary research,
00:00
that is very valuable
00:00
is it likely that a competitor
00:00
is going to try to steal that data?
00:00
Yes, that's pretty likely.
00:00
Then finally, the impact.
00:00
If the risk happened, how bad would it be for us?
00:00
There are different ways of doing risk analysis.
00:00
The first one we're going to discuss is
00:00
the quantitative risk analysis.
00:00
When you hear quantitative,
00:00
you need to think numbers.
00:00
For risk, this usually involves money.
00:00
We start off with a single loss expectancy.
00:00
This is the cost of a single event happening one time.
00:00
For example, a server crash.
00:00
If we look at the history of
00:00
our servers and we average one server crash,
00:00
we want to look at the cost of that crash.
00:00
What does it cost us when that crash happens?
00:00
Then we move to the annual loss expectancy.
00:00
This is adding all of
00:00
those single-loss events together
00:00
over the course of a year.
00:00
We hope that our server is not
00:00
crashing more than once a year or even once a year,
00:00
but if it were to crash multiple times,
00:00
then what are those costs together?
00:00
Then we have our annual rate of occurrence.
00:00
This is how many times in
00:00
a year does that single event occur?
00:00
There's a formula here for you to be able
00:00
to calculate this on a test and you might
00:00
see some of these questions where they are giving
00:00
you numbers for you to calculate based on this formula.
00:00
The ALE equals the SLE times the ARO.
00:00
We're trying to calculate what is
00:00
the annual loss expectancy,
00:00
which is expressed as a cost.
00:00
All of these costs added together and that is equal to
00:00
the single loss expectancy times
00:00
the annual rate of occurrence.
00:00
But the SLE can be broken
00:00
down further into different parts.
00:00
We can define the asset value or the AV.
00:00
How much is that asset worth?
00:00
The exposure factor or EF is,
00:00
what portion as a percentage of that asset would be lost.
00:00
An example would be if a hurricane
00:00
damaged half of our corporate building,
00:00
that will be an exposure factor of 50 percent.
00:00
Our SLE can be calculated as SLE equals AV times EF.
00:00
Then we also have total cost of ownership or TCO.
00:00
This is all costs associated with an asset,
00:00
including the cost to operate it
00:00
and maintain it over its entire lifetime.
00:00
We also have our return on investment or ROI.
00:00
This compares the cost of
00:00
the item to the benefits it provides.
00:00
These next terms are very important and you're likely to
00:00
see questions on the test about these.
00:00
Mean time to recovery, MTTR.
00:00
This measures the amount of
00:00
time a device or a service is down,
00:00
how long from when it
00:00
goes down to when it is back up again?
00:00
Then the mean time between failure or
00:00
MTBF is the lifespan of a device,
00:00
but also the amount of time until a service goes down.
00:00
Then with a gap analysis that measures the difference
00:00
between the current state and the desired state.
00:00
By creating metrics such as ALE, MTTR, MTBF,
00:00
and TCO, an organization can
00:00
evaluate where they stand and make improvements.
00:00
We look at our historical MTTR and our MTBF,
00:00
and we decide this isn't
00:00
good enough and we need to improve.
00:00
By calculating those functions,
00:00
we can get numbers that we can use to help move us
00:00
towards that goal line by using a gap analysis.
00:00
>> There are some issues with quantitative risk analysis.
00:00
It's difficult to perform when the value of
00:00
an asset or the components cannot be easily determined.
00:00
Sometimes it's hard for us to
00:00
do, especially with intangibles.
00:00
But it does offer an effective way of
00:00
describing the assets in an organization,
00:00
what the organization actually has,
00:00
and then the risks that are associated with those assets.
00:00
It can be used to help decision-makers by
00:00
providing good information so they
00:00
can plan where to place the money,
00:00
where they need to spend to lower the risk.
00:00
A qualitative risk analysis,
00:00
this evaluates through words and not numbers.
00:00
Keep in mind quantitative numbers, qualitative words.
00:00
It's very subjective and
00:00
this is especially so when compared to quantitative.
00:00
It works well for the assets that are
00:00
intangible such as brand or reputation.
00:00
But it requires a lot of input from
00:00
other departments such as your marketing,
00:00
your sales, and your corporate communications teams.
00:00
How do we respond to risk?
00:00
The first thing we can do is to avoid it.
00:00
This means stop doing whatever is causing the risk.
00:00
It doesn't mean ignoring the risk. We can accept it.
00:00
This means that if the risk happens,
00:00
it's not worth the cost to prevent it.
00:00
If it happens, we contain it and
00:00
then it's cheaper to contain it than it is to prevent it,
00:00
then we can mitigate the risk.
00:00
This is the process of lowering
00:00
the possibility that the risk will occur.
00:00
Usually mitigating controls help
00:00
to lower the chance of a risk occurrence.
00:00
Then finally, we can transfer the risk.
00:00
This is give the risk to a third party.
00:00
This is usually done by purchasing insurance.
00:00
I've got some good examples
00:00
here to help you understand the differences
00:00
between the different types of risk responses.
00:00
The company has a software application and
00:00
the manufacturer has gone out of business.
00:00
A lot of vulnerabilities have
00:00
been discovered in the software.
00:00
To avoid the risk would be to stop using
00:00
the software altogether and find a replacement.
00:00
To accept the risk is
00:00
if the vulnerabilities are exploited,
00:00
the damage won't exceed the cost to replace the software.
00:00
If we find another software to
00:00
replace and the cost is $50,000,
00:00
but through our calculations we discover
00:00
that if the software
00:00
the current one that we're using is
00:00
exploited and the cost is only $10,000 to us,
00:00
then it doesn't really make sense to
00:00
spend $50,000 to move to
00:00
a different software platform
00:00
because of the cost when we can just accept the risk.
00:00
We can mitigate the risk by using
00:00
various security products to help harden the application.
00:00
We can isolate it to its own air gap network.
00:00
Then we can transfer the risk by
00:00
purchasing insurance that would cover
00:00
the company in the event that we
00:00
were breached because of this software.
00:00
Let's talk about inherent and residual risk.
00:00
Inherent risk is everything in life
00:00
carries some level of risk. It is built-in.
00:00
Having any publicly accessible servers
00:00
creates the potential for an attack.
00:00
This is a risk included with offering any service.
00:00
Mitigating controls that by lowering the risk.
00:00
Residual risk is once we've
00:00
done all our mitigating controls,
00:00
everything has been applied,
00:00
whatever is leftover after that is our residual risk.
00:00
Risk appetite is the level of
00:00
residual risk that is
00:00
acceptable for a given organization.
00:00
This is basically you
00:00
deciding how much you're willing to put up with.
00:00
After you've done enough controls and
00:00
you really don't feel like it's
00:00
cost-effective to spend any more,
00:00
then you're accepting it at that point
00:00
you've mitigated it as far
00:00
as you can go and now you
00:00
have to accept what's left over.
00:00
This is your risk appetite.
00:00
Different organizations will have higher risk appetites.
00:00
You'll see some that fly by the seat of
00:00
their pants and don't have quality backups in place.
00:00
Obviously, they have a very high risk appetite,
00:00
but that has to be decided for each organization.
00:00
Risk exceptions.
00:00
If a risk cannot be mitigated or
00:00
another risk response cannot be applied, for example,
00:00
it can't be transferred or
00:00
avoided then a risk exception can be used.
00:00
However, this should not be done lightly.
00:00
When you're doing this you're basically saying,
00:00
we can't do anything about it.
00:00
We're going to keep performing the risky activity.
00:00
But we think we have
00:00
a legitimate reason as to why we're doing this.
00:00
When you do that, you need to have
00:00
a complete description of the risk and then document
00:00
the rationale for the decision you
00:00
made for the risks exception.
00:00
You need signatures from all those making
00:00
the decision to be documented with all this together.
00:00
This is especially important when it comes
00:00
to compliance frameworks like HIPAA.
00:00
In the next slide I'll go into an example
00:00
where that happened for me.
00:00
But when you're basically
00:00
saying we're not going to do anything about this risk,
00:00
you want to make sure that all the people
00:00
that are making that decision have documented
00:00
their signature and they're signing off on it because
00:00
that's the kind of thing that could
00:00
potentially come back and bite you one day.
00:00
Instructor side note. I mentioned HIPAA,
00:00
but risk is a key part of HIPAA regulations.
00:00
From my experience, many practices
00:00
either don't have the financial capacity
00:00
or the desire to do the things
00:00
that are necessary to protect patient data.
00:00
They will take the response
00:00
of sticking their head in the sand,
00:00
which is basically is the same thing as
00:00
if you pretend the risk isn't there, it just goes away.
00:00
It's surprising how many people
00:00
take that attitude about cybersecurity,
00:00
because the cybersecurity is
00:00
generally not something you can see.
00:00
It's not like someone walking up
00:00
to you and pointing a gun at you.
00:00
Things are happening where attackers are coming in
00:00
and stealing data and it may be
00:00
months or years before that's ever found.
00:00
But because it's not seen,
00:00
we don't put importance on it.
00:00
I've seen many providers or physicians that
00:00
will create wild exceptions
00:00
for why they don't want to do something.
00:00
They're trying to create documentations or at least
00:00
they're trying to go that far, but I can tell you this,
00:00
that often the government
00:00
agencies that are responsible for investigating this,
00:00
the Health and Human Services department,
00:00
they don't take kindly this thing
00:00
and fines can be very expensive.
00:00
But the key to remember is risk doesn't
00:00
go away just because we don't like it or
00:00
we pretend it's not there. Let's summarize.
00:00
We went over risk management and we discussed
00:00
the ways we can measure risk with
00:00
quantitative or qualitative analysis.
00:00
We went over the different risk responses and we
00:00
discussed inherent and residual risk
00:00
along with risk perceptions.
00:00
Let's do some example questions.
00:00
Question 1. This is the amount that would be lost
00:00
over a year based on the sum total of all SLEs.
00:00
Annual loss expectancy or ALE.
00:00
Keep in mind some of the questions on the test are
00:00
going to ask you exactly like this,
00:00
where they're going to use those acronyms
00:00
instead of spelling it out.
00:00
You need to make sure you know these acronyms
00:00
because that's how they could try to
00:00
trip you up on some of these questions. Question 2.
00:00
When using this type of risk analysis,
00:00
words are used to describe the risk and their impacts.
00:00
Qualitative risk analysis.
00:00
Remember, qualitative uses
00:00
words, quantitative uses numbers.
00:00
Question 3, how long between when
00:00
an asset goes down to when it is restored?
00:00
What is the definition for this?
00:00
Mean time to recovery or MTTR?
00:00
Finally Question 4.
00:00
When the cost of a risk occurring is more than the cost
00:00
of mitigating it this type of risk responses used.
00:00
Acceptance. I hope that gave you a good overview
00:00
of risk because we're going to
00:00
use these a lot in the next lessons.
00:00
If you need to go back and look at it again,
00:00
make sure you understand those formulas,
00:00
make sure you understand those terms and
00:00
those risks responses. I'll see you in the next lesson.
Up Next
Instructed By
