Risk Analysis - CompTIA Security+ SY0-701 - 5.2

00:01

Determining levels of risk can vary widely

00:04

on how many different variables are involved.

00:07

One way to evaluate risk may be to create a qualitative risk

00:12

assessment.

00:13

This type of evaluation will look at individual risk factors

00:16

and the different criteria for each one of those factors.

00:20

You can often display a qualitative risk assessment

00:23

in very broad terms.

00:25

In our particular case, we're going to use a traffic light

00:28

grid to show a low, medium, or high risk in each

00:31

of these categories.

00:33

We'll start with legacy Windows clients.

00:35

We may perform an assessment in our organization

00:38

and find that we have a medium-level impact

00:41

for that particular risk factor.

00:43

Our annualized rate of occurrence we'll

00:45

mark in red to signify a high value.

00:48

In this case, we may have a large number of legacy Windows

00:51

clients that need to be updated.

00:53

The cost of these controls would be

00:55

marked as a medium and overall risk

00:57

we can then set to be in the high level with the red marker.

01:01

We can perform additional qualitative analysis

01:04

on these other risk factors, such as untrained staff.

01:08

Maybe this has a very low impact,

01:10

has a medium-level annualized rate of occurrence,

01:13

a low cost of controls, which puts our overall risk somewhere

01:17

in the medium level.

01:18

And in our organization, we might

01:20

have cases where we have devices that have

01:22

no antivirus software running.

01:24

This may have a medium impact, have a large annualized

01:28

rate of occurrence, a medium cost of controls,

01:31

and we might set an overall risk value to be very high.

01:36

This process of setting qualitative analysis

01:38

can be done on any risk factor, across many different

01:41

categories, and it's designed to give us

01:43

a high-level view of where we might focus our efforts

01:46

to resolve these problems.

01:49

There may be certain risks where we can calculate

01:51

a specific value, we refer to these as a quantitative risk

01:55

assessment.

01:56

This might start with an ARO.

01:58

That stands for an Annualized Rate of Occurrence.

02:01

This allows us to determine how often this risk will

02:04

occur in a single year.

02:06

So for example, an annualized rate

02:08

of occurrence that a hurricane will hit

02:10

will probably be lower in Montana than it is in Florida.

02:14

We might also want to assign an Asset

02:17

Value to that risk, or AV.

02:19

The asset value is the value of that asset to the organization.

02:24

That doesn't necessarily mean it's

02:26

the replacement cost, because that asset value could include

02:29

the effect on company sales, any fines

02:32

that you might receive when that particular risk is realized,

02:35

and any other costs.

02:37

And another important value is the exposure factor.

02:40

The Exposure Factor is abbreviated with EF.

02:43

This is the percentage of the value that was lost

02:46

due to that particular risk.

02:48

So if we lose a quarter of that particular asset

02:52

the exposure factor is 0.25.

02:54

If we lose the entire asset, then the exposure factor

02:58

is 1.0.

03:00

Now, we can start calculating a quantitative risk assessment

03:03

based on some of those variables.

03:05

We'll start with the SLE, or Single-Loss Expectancy, which

03:09

is the monetary loss we receive if one single event occurs.

03:14

You can calculate this by taking the Asset Value, or AV,

03:18

and multiplying it by the Exposure Factor, or EF.

03:21

Let's take the example of laptops that are stolen.

03:24

If we have a laptop stolen, the rough asset value

03:28

is around $1,000, and since the entire asset is now missing,

03:33

the exposure factor is a full 1.0.

03:36

If we multiply that $1,000 value times the 1.0 exposure factor,

03:41

we have a single loss expectancy of $1,000.

03:45

In our organization, we can estimate

03:48

that there will be a number of laptops

03:50

stolen in a single year.

03:52

So to calculate the ALE, or Annualized Loss Expectancy,

03:56

we would multiply the Annualized Rate Of occurrence, ARO,

04:00

times the SLE, or Single-Loss Expectancy.

04:04

So if we expect there will be seven laptops stolen in a year,

04:07

that annualized rate of occurrence is 7,

04:10

and we multiply that times the single-loss expectancy

04:13

of $1,000, we have a total annualized loss

04:16

expectancy of $7,000.

04:19

Obviously, this calculation takes into account

04:22

the financial cost of this particular risk,

04:25

but there may be other risks associated with this.

04:28

For example, the data that's on those laptops

04:30

may be more valuable than the laptop itself.

04:34

That's why we have both a quantitative risk

04:36

assessment and a qualitative risk assessment

04:39

that we can evaluate.

04:41

We take into a number of different impacts

04:43

of events that may occur in our risk calculations.

04:47

The most important of these would be life.

04:49

We want to be sure that everyone in the organization is safe.

04:53

We can replace assets, but we can't replace people,

04:56

so we usually put life at the very top of our concerns.

05:00

We then also have to consider the impact to the property.

05:03

This would be the buildings and the resources

05:05

that we would commonly use in our organization.

05:08

We should also consider the impact of safety.

05:11

If there's a risky event, what type of safety impact

05:15

is this to the individuals and the company itself?

05:18

There's also, of course, a financial impact.

05:20

We discussed some of that with our quantitative analysis.

05:23

You've probably seen already that our risk calculations

05:26

tend to take into account likelihood and probability.

05:30

The likelihood of a risk is a qualitative value.

05:33

So we might consider a risk to be rare, possible, almost

05:37

certain, or some other type of qualitative measurement.

05:41

Risk probability tends to be a quantitative number.

05:44

So we can associate a statistic or a measurement

05:47

to that specific risk.

05:49

We can often base this on historical performance

05:52

and, in some cases, the performance

05:53

that we might expect into the future.

05:56

We will often use these two terms interchangeably,

05:59

and sometimes, we might even calculate a risk probability

06:02

and then associate a likelihood based on that value.

06:06

Not all risk requires an organization to act.

06:10

There may be a certain amount of risk

06:11

that the organization is willing to take.

06:14

We refer to that value as a risk appetite.

06:17

Some organizations will set a qualitative value

06:20

on this appetite.

06:21

We refer to this as a risk appetite posture.

06:24

So they might look at a particular risk

06:26

and say that they are conservative or neutral or

06:29

expansionary to that particular risk type.

06:32

Another important value to consider is the risk tolerance.

06:35

This is often a larger variance than the risk appetite.

06:39

So we might have a risk appetite that is relatively low,

06:43

and our risk tolerance might be just

06:45

above that particular appetite value.

06:47

Here's a practical example that differentiates between a risk

06:50

appetite and a risk tolerance.

06:53

If you're driving on the roads, there

06:54

is a speed limit for the highway.

06:56

Your speed limit might be 55 miles an hour.

06:58

That value has been set by the government,

07:01

and they know that is the acceptable balance

07:03

between safety and convenience.

07:06

That means that you are not allowed

07:08

to go over 55 miles an hour, and if you do,

07:11

you're violating the law.

07:13

So if we're driving on the highway,

07:15

and we exceed the speed limit, we could be ticketed.

07:18

In practical terms, however, we don't

07:20

tend to be ticketed until we go well above the speed limit

07:24

values.

07:25

This means, if we're not being ticketed,

07:27

and we're going over the speed limit,

07:29

that our law enforcement has a higher risk tolerance than they

07:32

have a risk appetite.

07:34

This risk tolerance might also change

07:37

depending on the situation.

07:38

If there's very bad weather, there

07:40

may be a need to keep the speeds lower on the highway,

07:43

and the risk tolerance of law enforcement

07:45

may have a much lower speed limit in mind.

07:49

It's not unusual for a project in an organization

07:52

to have a list of the risks associated with implementing

07:55

that particular project.

07:57

This is usually documented in a risk register,

08:00

and each individual risk is detailed

08:03

so that everyone understands the risks associated

08:06

with that project.

08:07

The goal of the risk register is to document

08:09

each of those individual risks, and if possible, provide

08:13

some options or solutions to avoid that risk.

08:16

Each line in the risk register will contain a key risk

08:20

indicator that details what those risks could be.

08:23

For example, in this project, the project purpose and need

08:26

is not well defined, the project design and deliverable

08:29

definition is incomplete, and the project schedule is not

08:32

clearly defined or understood.

08:34

Each one of those would be a key risk indicator.

08:37

For each of those key risk indicators

08:40

we need to assign an owner who will manage or be

08:43

responsible for that particular risk,

08:45

and then we need to determine what the risk threshold will

08:48

be for this project.

08:50

We need to spend time and money to be

08:52

able to resolve that particular risk,

08:54

and we need to make sure that there

08:56

is a balance between how much money we'll spend on the risk

08:59

and how much that risk would end up costing the company.