Purely quantitative risk assessment is hard to achieve because some items are difficult to tag to fixed dollar amounts. Absolute qualitative risk analysis is possible because it ranks the seriousness of threats and sensitivity of assets into grades or classes, such as low, medium, and high. Typically this analysis is done for Intangible assets such as Reputation associated for Enterprise. Typically it is measured or determined with the below techniques.
One on One meetings
An example of this can be seen in NIST 800-26, a document that uses confidentiality, integrity, and availability as categories of loss and then ranks each loss based on a scale of low, medium, and high. The ranking is purely subjective (Which is one of the cons of using a qualitative approach) :
Let’s take the same example which we considered in Quantitative Risk analysis Case Study: Datacenter Threat: Flooding
How likely is Data Center gets flooded in the natural calamity of flooding?
I would think of Low Likelihood.
How bad is it if it happens?
That really depends on a couple of things:
How badly will it impact Confidentiality?
How badly will it impact Integrity?
How badly will it impact the Availability?
Let’s say it is Likely and a Minor issue, that puts the loss of the High-Risk category.
It is normal to move High and Extreme on to Quantitative risk analysis. If mitigation is implemented, we can maybe move the risk level to “Low” or “Medium”.
An Enterprise can opt one or multiple of the above methodology for Qualitative Risk Analysis. One of the popular mechanism that we shall be taking a look over is “Delphi” technique.
Delphi – It is an approach to conduct an anonymous survey to gather Truth Facts. e.g. If your company ask their employees to provide feedback on their respective manager & their responses can easily be seen by their managers as well; So imagine what will happen in this case? Will the company able to gather correct facts? Can the Company ensure that True inputs will be provided by the employee? The ANSWER would be “NO” – Why? – The reason is “we all know”Let’s not discuss this over here 😛 Imagine another situation if the company perform an Anonymous survey – There is a High probability of getting realistic data about employee satisfaction. Hence we need to categorise our Intangible assets into below-mentioned categories.
Next question comes “HOW” – To understand this please follow below case study.
Let’s take another example; Company XYZ is an e-commerce company & has a database consisting of its customer details. Let us assume knowingly or unknowingly we put this database on a publicly available Web server. In this case our valuable asset = Customer list Impact = High (Because its Company XYZ customers list which can lead to high potential losses if competitors are aware of your customer) Probability/Likelihood = High (Because this database is Publicly exposed, so it has high chances of occurrence) Hence “Customer list” will fall into “High Impact High Likelihood” bucket.
To answer these, Let us look at the Below six major element of Quantitative Risk Analysis.
Asset Value (AV) – How much is the asset worth?
Exposure factor (EF) – Percentage of Asset Value lost?
Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
Annual Rate of Occurrence (ARO) – How often will this happen each year?
Annualised Loss Expectancy (ALE1) without safeguard – (SLE x ARO) – This is what it cost per year if we do nothing.
Annualised Loss Expectancy (ALE2) post safeguard – (SLE x ARO) – This is what it cost per year if we put countermeasure.
The annual cost of Safeguard (ACS)
Cost-Benefit Analysis: if (ALE1-ALE2-ACS) > 0 = Safeguard is Good else it is not a good choice financially.
Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing price (Normally Operational)
Lets understand this mathematical formulas of quantitative Risk analysis with below Case study: Case Study: Data Center Suppose Company XYZ Data Center is valued at 100,000,000 USD. i.e. AV = 100,000,000 USD Data Center has a risk because of Natural calamity such as Flooding. i.e. Threat = Flooding If a flooding happens 15% of the DC is compromised. i.e. EF = 15% Loss per Flooding i.e. SLE = AV x EF = 100,000,000 x 15% = 15,000,000 USD The flooding happens once in 5 years i.e. ARO = 0.20 Hence Loss per year because of flooding would be ALE = SLE x ARO = 15,000,000 x 0.20 = 3,000,000 USD
Some other examples are summarized in below table.
Risk analysis is the process of studying the risks in detail that the organisation’s assets are susceptible to due to the existence of the previously-identified vulnerabilities. Please take a look at the below mindmap for complete Risk Assessment/analysis process.
In the next blog; we will understand in detail Quantitative and Qualitative Risk analysis approaches.
Please Note: Steps 1 to 6 mentioned in the mindmap lists Risk Assessment/Analysis process.
This is one of most important Topic in CISSP exam also I would say Risk management is something we all actually do in our “day to day” task. Hence, for every security professional this is a Must topic.
So before we get into the details of Risk Management lets understand below questions.
What is Risk Management? – It is a process of Identification, Assessment, Analysis, Mitigation or transfer of risk.
Why Risk Management is required? – If an organisation is negligent in risk management; their assets can be compromised.
How to do Risk Management? – We will discuss about this in details.
When to do Risk Management? – It must be performed Annually or more specifically if there are any significant changes in your environment e.g. Acquisition or mergers, Expanding your facility or Moving into new facility.
Before We begin to understand “Risk Management”; Lets take some time to understand “Risk Terminology”
Asset: Anything which needs to be protected.
Asset Valuation: Assigning $$ value to an asset.
Threat: Things that could create an unwanted outcome for a organization/to all or part of an asset.
Vulnerability: A weakness in an asset; the absence of a safeguard or countermeasure.
Threat Agent: The entity which carries out the attack. They could be people, program, hardware or systems.
Threat Events: These are Accidental or intentional exploitation of vulnerabilities. These can be man-made or natural such as fire, earthquake, flood.
Exposure: is being vulnerable to asset loss.
Risk: The probability that a threat will exploit vulnerability.
Controls: Safeguard, countermeasure
Attack: exploitation of vulnerability by a threat agent.
Breach: is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.
Below illustrates the connected & complete picture.
Refer to below mindmap for a summary of Risk Terminology
So “What is an Asset” – We can say “An asset for Enterprise would be anything which needs to be protected”. It could be either a Business process or task. Refer to below mind map for the complete details, categorisation and their similar examples.