Cybersecurity Skills: Quantitative Risk Management

00:00

[Music]

00:01

okay so that's that's kind of how

00:04

lawyers thinking about tort law after if

00:08

you're using something like the hand

00:09

balancing test would think about doing

00:12

some kind of really back of the envelope

00:15

very rough risk management calculation

00:19

how do professional risk managers do it

00:23

well they doing a whole variety of ways

00:25

most of which are going to be more

00:27

sophisticated than what I'm going to

00:29

show you right now but I'm going to show

00:30

you right now is kind of a recognized

00:33

basic way of doing risk management

00:38

calculations quantitative calculations

00:42

that go a bit beyond the learn at hand

00:44

formula so here is the formula that I'm

00:48

putting up on the screen for you and

00:50

here's what it means a le is annual loss

00:54

expectancy the annual loss expectancy in

00:58

other words what how much are you

01:00

expecting the loss to be in any given

01:03

year will be equal to the single loss

01:07

expectancy what do you expect a loss to

01:10

be for any single event times arrow the

01:14

annual rate of occurrence how often do

01:17

you expect this loss to occur in a given

01:20

year

01:22

so you know these are some nice kind of

01:25

cool management teas sounding formula

01:29

again if you look at it it kind of

01:30

breaks down it makes it really makes

01:32

sense right

01:33

what's gonna cost you for a whole year

01:35

don't get caught up right now and

01:37

whether it's a calendar year or a fiscal

01:38

year it doesn't really matter for this

01:40

purpose right what's gonna cause for a

01:42

whole year well what is he what does any

01:45

one incident cost and maybe I'll be able

01:46

to quantify that and how many times do I

01:49

expect the incident to occur in a year

01:50

maybe I'll be able to quantify that

01:56

[Music]

01:58

okay

02:02

so how do we figure out how do we

02:06

quantify what the single loss expectancy

02:09

is well we really have to know what the

02:15

value is of the asset that's at risk now

02:21

that you know should be relatively

02:22

self-explanatory I mean if we've got you

02:25

know some customer data that provides

02:30

information that enables us to compete

02:34

in the marketplace and price our product

02:36

to our customer that's going to be an

02:38

asset and then as it's going to have a

02:40

certain value and that value might be

02:42

you know what's the kind of marginal

02:44

benefit having that customer information

02:47

gives us over our competitors in you

02:51

know our pricing in the marketplace even

02:54

more straightforward you might say all

02:56

right we've got you know we're selling a

02:58

commodity we've got barrels of oil right

03:00

those barrels of oil today are worth X

03:03

dollars on the commodity market I mean

03:05

that's a much more straightforward but

03:08

even as my example of the customer data

03:10

suggests it can be really hard to

03:12

calculate this so I mean even though

03:14

this sounds kind of highly quantitative

03:18

you know asset values can be hard to

03:22

calculate and figure out especially when

03:23

we're talking about data so even when

03:26

you're doing this on a quantitative

03:27

basis you're going to sort of often have

03:29

to sort of do your best estimates and

03:31

there are best practices and you know

03:33

people that do this for a living will

03:35

know kind of the best accounting

03:37

practices and so on for doing that all

03:40

right the EF in this calculation is

03:43

what's called exposure factor the

03:47

exposure factor is the percentage of the

03:50

asset value that will be lost if the

03:53

risk is realized and that of course is

03:56

going to range from zero to a hundred

03:59

percent so I mean it could be that the

04:01

risk happens and it really doesn't have

04:03

any impact on the asset at all asset

04:05

value at all and then it's zero right it

04:08

could be that the risk happens and the

04:09

asset is completely destroyed right so

04:12

let's think about our barrels of oil the

04:15

risk is that there's a

04:16

major fire and explosion at the plant

04:18

where the at the facility where the oil

04:20

is being stored if there's a major fire

04:24

the all the oil will be burned up and

04:27

destroyed exposure factors 100% now more

04:31

likely more likely what we're thinking

04:33

about you know a risk we're thinking

04:35

about is not a major fire that destroys

04:37

the whole facility but a fire that

04:39

eventually gets contained and that let's

04:42

say destroys 50% of the facility and 50%

04:47

of our barrels of oil right so then our

04:49

exposure factor would be 50% we'd

04:52

multiply the value of the oil let's say

04:55

the boils worth a million dollars our

04:57

exposure factors the risk we're facing

05:00

is a fire that would destroy half of our

05:02

barrels of oil so then you know our SLE

05:06

is going to be $500,000

05:11

all right the other piece in this

05:14

calculation is the annual rate of

05:16

occurrence what is the annual rate of

05:19

occurrence it's going to be some kind of

05:21

multiplier so example if it's going to

05:27

likely happen one the risk is likely to

05:30

be realized once a year our multiplier

05:33

is one if our risk is likely to be

05:36

realized twice a year it's two and so on

05:40

right if the risk is likely to be

05:42

realized every other year well then it's

05:45

one half each each given year so it's

05:48

point five right if it's likely to be

05:51

realized once every 25 years 0.04 right

05:56

you can see how this math works out and

05:58

you really if you're trying to do this

06:00

kind of thing in a basic risk management

06:03

setting it doesn't have to get very much

06:04

more granular than this again you're

06:06

it's quantitative but it's pretty rare

06:11

that you're gonna have the kind of

06:12

granular level data that are gonna allow

06:15

you to predict this is gonna happen you

06:17

know 13 times this year it's just that's

06:20

highly unlikely you're probably gonna

06:22

have to round off you know 1 5 10 to

06:26

every other year every five years every

06:28

10 years

06:29

and and that'll give you kind of rounder

06:32

numbers okay so let's work through a a

06:39

specific example with these figures so

06:44

this is a you know very unrealistic

06:45

example but it's kind of straightforward

06:47

so it shows you how you would work this

06:49

out so let's say we have a building

06:51

that's valued at $100,000 let's say a

06:54

fire would damage the building to be

06:58

damaged twenty-five percent of the

06:59

building and let's say that we have some

07:02

insurance data underwriting data that

07:04

suggests a fire of this sort is likely

07:06

to occur once every ten years so what we

07:10

have here we'd have our single loss

07:12

expectancy our asset value is a hundred

07:14

thousand our exposure factor is twenty

07:17

five percent that would damage twenty

07:19

five percent of the building and so our

07:21

SLE is twenty five thousand dollars then

07:25

we factor our a le right we have our

07:28

sles twenty five thousand dollars our

07:32

aro annual rate of occurrence is going

07:35

to be point one because it's 1/10 once

07:38

every ten years and so therefore we're

07:42

going to have a le of two thousand five

07:45

hundred dollars okay so what does that

07:48

mean if we have an a le of two thousand

07:51

five hundred dollars I mean you could

07:53

say all right that means I should spend

07:55

about two thousand five hundred dollars

07:58

on fire suppression technology that's to

08:02

$2,500 is the a le that means in any

08:05

given year that's my sort of it's

08:09

possible exposure and so if I'm spending

08:12

twenty five hundred dollars a year on

08:14

that technology then you know over the

08:15

course of ten years

08:16

I'll have spent the total amount of the

08:19

potential loss and I'll have evened out

08:21

my risk so you could say that and that

08:24

is you know what this kind of

08:26

quantitative calculation in a sense is

08:28

designed to do

08:29

it's designed to tell you how much you

08:32

should spend on mitigation on risk

08:35

management but you do have to realize

08:37

that this whole thing is not

08:41

usually going to be precise it's usually

08:43

going to be unrealistic so think for

08:46

example about the asset value we're at

08:50

our asset value of the building hundred

08:52

thousand dollars if I sold this building

08:53

tomorrow I could sell it for a hundred

08:55

thousand dollars okay but if there's a

08:58

fire you know I may loot there may be

09:03

employees who are injured or killed how

09:05

am I going to value that you know if you

09:08

have to put money value on that you you

09:09

sort of can I mean there are actuarial

09:11

ways of doing that and then of course

09:14

there's value on that that goes way

09:16

beyond money right so we say 25 percent

09:19

of the building but you know are

09:21

different parts of the building

09:22

potentially more valuable than others I

09:24

mean are there is there a manufacturing

09:26

equipment that's really expensive to

09:28

replace as opposed to a warehousing area

09:32

with goods that I would lose that are

09:34

easier to replace what about opportunity

09:38

costs what about downtime I mean if the

09:41

production equipment is destroyed if

09:44

that portion of the building is

09:45

destroyed does that mean that I'm out of

09:47

business for you know a period of time

09:48

all those things if you really really

09:51

wanted to dig into the granular level

09:53

you'd have to include in your

09:56

spreadsheet now there are people that do

09:59

this kind of thing right that really

10:00

crunch these kind of numbers and that

10:02

try to do this and they're even at

10:04

higher levels there are ways of using

10:05

big data to try and do this and but

10:09

that's not what we're trying to do for

10:11

our purpose right now in this course or

10:15

to introduce these general principles

10:16

and it's not necessarily what you need

10:18

to do you know kind of at the level of

10:21

being a general counsel or an outside

10:23

counsel in a business talking about

10:26

cybersecurity and kind of introducing

10:28

some of these principles you're trying

10:29

to begin to get the general sense so at

10:34

least you can put some numbers on things

10:43

you