Pass your certification exam. Faster. Guaranteed.

Risk Assessment Transcription

Welcome to our risk management concepts risk assessment and analysis module. Risk assessment is the process of identifying information security risks that might affect your assets. Estimating the damages those risks might cause, and prioritizing those risks in order to address them appropriately. It is important that you are constantly evaluating the risks and preparing for risks in order to keep your business up and running.

You should understand the operational status of your business, and always be considering ways to improve your security and reduce your risks. Once you conduct a risk assessment it is critical to report the findings to upper management so that they can provide the correct amount of funding and personnel in order to manage the risks and minimize them.

Once you've determined your risks, you should prepare a plan based on the findings, and then you should implement that plan in order to control the risks to your organization. One of the most important steps while conducting your risk assessment is to identify the threats, events and vulnerabilities that could affect your business.

A threat is the potential for some bad activity to occur. And a vulnerability is a weakness in a system, or the way that you've configured a system that someone could take advantage of in order to create a negative event. When you're conducting your risk assessment there are three different ways to be able to do this.

A qualitative risk assessment focuses on experience and generally does not involve monetary values. With a qualitative risk assessment, we actually assign a monetary value to all of our assets and to the risks and the damage that they could cause, and this is considered the best method. But the most commonly used is a hybrid assessment, where we blend qualitative and quantitative together to give us the best picture of what we could experience in an event of an emergency or other negative event.

You should be familiar with the three different types of risk assessments for the CISSP examination. We can assign risks or transfer risks to another person, or third party, basically paying that individual to accept the risk for us. An example here would be purchasing insurance in case of a fire or other building disaster.

Or using a service level agreement, or SLA, to hire company to backup our system or host a server, or perform some other function for us so that we do not have the risk in our facility. We can also select controls or counter measures to mitigate risks. It is important when you're selecting controls to make sure that they are cost effective, and there are some risks that your upper management will simply choose to accept.

They will not put controls in place because the controls may not be cost effective or they may be too difficult to implement, so they will accept the risk that your company faces. A quantitative risk analysis uses numeric and monetary values based on the values of your assets and based on your experience with how often a disaster might occur in your area for example.

Typically companies or actuary tables will be used to provide the needed values. Managers usually prefer a quantitative analysis because they will use monetary values to make decisions. A qualitative risk analysis is based on a subjective rating system and generally uses an individual's intuition or an average using a Delphi method.

Qualitative risk analyses are typically informal and our typically performed first and then followed up by a more formal quantitative analysis. Typically, decisions will include elements of both types of techniques. In order to conduct a proper risk assessment, we must know the value of our assets. It is very important to calculate this particular value appropriately in order to perform a proper risk assessment.

First we must determine how critical a system is to our organization or to our mission. We must consider many different costs, not just the cost of the physical equipment itself. We have to think about the cost it would take to replace the system if we had to purchase a new one.

What would it cost to develop a system or a piece of software. What are the maintenance costs involved? Warranties and other protective mechanisms. What is our operational loss, or our productivity loss if our asset goes offline for say four hours a couple of days? What's the value to the owner?

What is the value to the outside individual, such as the fair market value that another person would be willing to pay for that asset. And, what liability do you have? You may have an asset that's not worth a lot, perhaps a laptop that's worth a few hundred dollars, but it could have protected HIPAA information.

And if that data is lost, then you may be responsible for millions of dollars worth of fines. So even though that asset doesn't appear to be worth very much money, it could cause the company a lot of liability, and therefore it is very valuable to the organization. It is difficult sometimes to determine values, and we have to consider an item's initial value, as well as its value internally versus externally, if there's a difference between those two calculations.

We often need to calculate values to determine our risk versus the cost to mitigate the risk. We always will start with our estimate of our asset value, or AV. We then must determine our exposure factor, which is the percentage of value that we may lose in a typical incident.

For example, if we consider that a fire would destroy 50% of our building, then our exposure factor would be 50% during a typical fire. To calculate the single loss expectancy or SLE, we would take our asset value and multiply it by our exposure factor. For example, if our facility is worth $1 million, and that fire will have 50% exposure factor, then a single loss expectancy if a fire occurred would be $500,000. The annualized loss expectancy, or ALE, takes our single loss expectancy and divides it over the amount of time that we expect an incident to occur. For example, if we continue on with our fire incident and we have that single loss expectancy of $500,000, but our annual rate of occurrence says that a fire should only occur once every ten years, we would then multiply our single loss expectancy by our annualized rate of occurrence, or 0.01.

Then that would give us an annualized loss expectancy of $50,000 per year. That annualized rate of occurrence is a value that represents the estimated probability of that particular threat taking place in a year. So, with a fire example, when we say that this occurs once every ten years, we would take one and divide it by ten, which would give us our annualized rate of occurrence of 0.10.

If it occurred every five years we would take one, divide it by five, and our annualized rate of occurrence would then be 0.2. If a threat could occur multiple times per year, we will then multiply it by one. For example, if a theft could occur four times per year, we would take one times four, and our annualized rate of occurrence would be four.

On this slide we have an example of a calculation for the annualized lost expectancy. We have a facility that may be damaged by a tornado, and it's estimated that we would lose 50% of the facility if a tornado occurred. So, our exposure actor is 50%. The value of our facility is $200,000.

The probability of a tornado occurring is once every ten years, so our annualized rate of occurrence would be 0.10. We take our asset value and multiply it by our exposure factor. That will give us our single loss expectancy. So we will take the $200,000 that our asset is valued at, times it by our exposure factor of 0.50, meaning that we'll lose $100,000 of our facility if a tornado occurs.

To calculate our annualized loss expectancy, we take that single loss expectancy that we calculated in the previous example there of $100,000. We times that by our annualized rate of occurrence, which is 0.10, which we come up with $10,000 per year because we are averaging the $100,000 loss based on the probability of once every ten years, and coming up with $10,000 per year.

So in order to make a cost effective budgeting decision when purchasing a counter measure to avoid the risk of a tornado, our management employees should not spend more than $10,000 per year in countermeasures attempting to protect from a tornado because that would not be cost effective. For the CISSP examination, you should be familiar with the exposure factor, single loss expectancy, annualized loss expectancy, and the annualized rate of occurrence.

And be able to calculate these values based on a scenario that is given to you during the examination. When we're choosing security controls, we should make sure that they achieve their goal by mitigating the risk. For example, if we're trying to avoid the fire, we wanna make sure that a fire suppression system is able to put out a fire properly.

The system should be transparent to the users but difficult to bypass, for example, breaking glass. It's very easy for users to see through glass but an intruder cannot easily get through the glass D1-15 - Risk Assessment without breaking it. Good controls will make business sense because they are cost effective. We would not want to spend thousands of dollars to protect an asset that's only worth a few hundred dollars.

When we're calculating the cost–benefit analysis, we can use the formula provided here, where we will take our annualized loss expectancy before we implement a control. We will subtract the annualized loss expectancy after we've implemented the control. And then subtract the annual cost of the control, and that would give us the value of the control to the company.

For example, if our annualized lost expectancy before implementing a fire suppression system was $100,000. And the annualized lost expectancy after implementing a fire suppression system was $50,000. And the cost of that control was $5,000. Then the value of that control to our company would be $45,000. We would be getting a very good return on our investment.

However, if the value of the control was negative, we should not purchase that control because it would not be cost effective. When we're conducting our qualitative risk analysis steps, we use our sound judgment, our experiences and our intuition instead of numbers in order to determine what types of risks we have to face in our organization.

The first step is to develop risk scenarios for our assets. We should then gather experienced subject matter exports, or SMEs, that can help us conduct our risk assessment. Once we have these experts in place, we can walk through the scenario to determine potential results. We can prioritize the most important risks and threats to our assets.

And then we can determine a consensus for the best counter measures to mitigate or remove those threats to our assets. The Delphi technique is a group decision method, where group members can communicate and provide their feedback anonymously, and you should be familiar with the Delphi technique for the CISSP examination.

This concludes our risk management concepts module. Thank you for watching.