Qualitative Risk Analysis … Delphi Technique

Purely quantitative risk assessment is hard to achieve because some items are difficult to tag to fixed dollar amounts. Absolute qualitative risk analysis is possible because it ranks the seriousness of threats and sensitivity of assets into grades or classes, such as low, medium, and high. Typically this analysis is done for Intangible assets such as Reputation associated for Enterprise.
Typically it is measured or determined with the below techniques.

  • Brainstorming
  • Delphi technique
  • Storyboarding
  • Focus groups
  • Surveys
  • Questionnaires
  • Interviews
  • Checklists
  • One on One meetings

An example of this can be seen in NIST 800-26, a document that uses confidentiality, integrity, and availability as categories of loss and then ranks each loss based on a scale of low, medium, and high. The ranking is purely subjective (Which is one of the cons of using a qualitative approach) :

Qualitative Risk Analysis – NIST

Let’s take the same example which we considered in Quantitative Risk analysis
Case Study: Datacenter
Threat: Flooding

  • How likely is Data Center gets flooded in the natural calamity of flooding?
    • I would think of Low Likelihood.
  • How bad is it if it happens?
    • That really depends on a couple of things:
  • How badly will it impact Confidentiality?
    • High
  • How badly will it impact Integrity?
    • High
  • How badly will it impact the Availability?
    • High
    • Let’s say it is Likely and a Minor issue, that puts the loss of the High-Risk category.
  • It is normal to move High and Extreme on to Quantitative risk analysis. If mitigation is implemented, we can maybe move the risk level to “Low” or “Medium”.

An Enterprise can opt one or multiple of the above methodology for Qualitative Risk Analysis. One of the popular mechanism that we shall be taking a look over is “Delphi” technique.

Delphi – It is an approach to conduct an anonymous survey to gather Truth Facts. e.g. If your company ask their employees to provide feedback on their respective manager & their responses can easily be seen by their managers as well; So imagine what will happen in this case? Will the company able to gather correct facts?
Can the Company ensure that True inputs will be provided by the employee?
The ANSWER would be “NO” – Why? – The reason is “we all know”Let’s not discuss this over here 😛
Imagine another situation if the company perform an Anonymous survey – There is a High probability of getting realistic data about employee satisfaction.
Hence we need to categorise our Intangible assets into below-mentioned categories.

Delphi Technique

Next question comes “HOW” – To understand this please follow below case study.

Case Study:

Let’s take another example; Company XYZ is an e-commerce company & has a database consisting of its customer details. Let us assume knowingly or unknowingly we put this database on a publicly available Web server. In this case
our valuable asset = Customer list
Impact = High (Because its Company XYZ customers list which can lead to high potential losses if competitors are aware of your customer)
Probability/Likelihood = High (Because this database is Publicly exposed, so it has high chances of occurrence)
Hence “Customer list” will fall into “High Impact High Likelihood” bucket.

Quantitative Risk Analysis … The four HOW?

The objective of this analysis to find out

  • How much of our Asset is compromised?
  • How much one incident/event will cost?
  • How often the incident/event occurs?
  • How much will that cost annually?

To answer these, Let us look at the Below six major element of Quantitative Risk Analysis.

  • Asset Value (AV) – How much is the asset worth?
  • Exposure factor (EF) – Percentage of Asset Value lost?
  • Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
  • Annual Rate of Occurrence (ARO) – How often will this happen each year?
  • Annualised Loss Expectancy (ALE1) without safeguard – (SLE x ARO) – This is what it cost per year if we do nothing.
  • Annualised Loss Expectancy (ALE2) post safeguard – (SLE x ARO) – This is what it cost per year if we put countermeasure.
  • The annual cost of Safeguard (ACS)
  • Cost-Benefit Analysis: if (ALE1-ALE2-ACS) > 0 = Safeguard is Good else it is not a good choice financially.
  • Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing price (Normally Operational)
Quantitative Risk Analysis

Lets understand this mathematical formulas of quantitative Risk analysis with below Case study:
Case Study: Data Center
Suppose Company XYZ Data Center is valued at 100,000,000 USD.
i.e. AV = 100,000,000 USD
Data Center has a risk because of Natural calamity such as Flooding.
i.e. Threat = Flooding
If a flooding happens 15% of the DC is compromised.
i.e. EF = 15%
Loss per Flooding
i.e. SLE = AV x EF = 100,000,000 x 15% = 15,000,000 USD
The flooding happens once in 5 years
i.e. ARO = 0.20
Hence Loss per year because of flooding would be
ALE = SLE x ARO = 15,000,000 x 0.20 = 3,000,000 USD

Some other examples are summarized in below table.

How SLE, ARO, ALE are used/calculated

Risk Assessment/Analysis

Risk analysis is the process of studying the risks in detail that the organisation’s assets are susceptible to due to the existence of the previously-identified vulnerabilities. Please take a look at the below mindmap for complete Risk Assessment/analysis process.

In the next blog; we will understand in detail Quantitative and Qualitative Risk analysis approaches.

Please Note: Steps 1 to 6 mentioned in the mindmap lists Risk Assessment/Analysis process.

Risk Management … Must for every Security Professional

This is one of most important Topic in CISSP exam also I would say Risk management is something we all actually do in our “day to day” task. Hence, for every security professional this is a Must topic.

So before we get into the details of Risk Management lets understand below questions.

  1. What is Risk Management? – It is a process of Identification, Assessment, Analysis, Mitigation or transfer of risk.
  2. Why Risk Management is required? – If an organisation is negligent in risk management; their assets can be compromised.
  3. How to do Risk Management? – We will discuss about this in details.
  4. When to do Risk Management? – It must be performed Annually or more specifically if there are any significant changes in your environment e.g. Acquisition or mergers, Expanding your facility or Moving into new facility.

Before We begin to understand “Risk Management”; Lets take some time to understand “Risk Terminology”

  • Asset: Anything which needs to be protected.
  • Asset Valuation: Assigning $$ value to an asset.
  • Threat: Things that could create an unwanted outcome for a organization/to all or part of an asset.
  • Vulnerability: A weakness in an asset; the absence of a safeguard or countermeasure.
  • Threat Agent: The entity which carries out the attack. They could be people, program, hardware or systems.
  • Threat Events: These are Accidental or intentional exploitation of vulnerabilities. These can be man-made or natural such as fire, earthquake, flood.
  • Exposure: is being vulnerable to asset loss.
  • Risk: The probability that a threat will exploit vulnerability.
  • Controls: Safeguard, countermeasure
  • Attack: exploitation of vulnerability by a threat agent.
  • Breach: is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

Below illustrates the connected & complete picture.

Refer to below mindmap for a summary of Risk Terminology

“STRIDE” Threat Model … Useful Methodology for Categorization

“STRIDE” is the Threat Model used to Categorize different types of attack. Refer to below mind-mapper diagram for detailed understanding.

I personally feel, this is a very good model to categorize the threats in Real-world implementation and hoping to use it very soon in my Job.

Threat Modeling … A Step by Step Guide

Threat modelling is the process where potential threats are identified, categorized, and analyzed. There are two approaches for Threat Modeling as described below

The overall objective of any enterprise organization is to Reduce Risk. Now, let us discuss the Framework/Methodology/Phases involved in Threat Modeling.

  1. Identify the Assets
  2. Describe the Architecture
  3. Breakdown the applications if any.
  4. Identify Threats.
  5. Categorization of Threats.
  6. Threat Analysis
  7. Determining and Diagramming potential attacks.
  8. Reduction analysis
  9. Threat prioritization
  10. Technologies and Process used to Re-mediate threats.

Below mind map list the details and corresponding framework used in the Threat Modeling Phases.