5.3 Explain risk management processes and concepts. Flashcards
Threat Assessment
Threat assessment is actually part of risk assessment, where you identify the different threats to an asset. As mentioned, you will have many different threats for a single asset, and part of risk assessment is to prioritize those threats.
Threat Assessment - Environmental
An environmental threat results from the environment, or location, in which your business operates. Environmental threats include, among others, floods, tsunamis, earthquakes, volcanic eruptions, tornados, blizzards, lightning storms, and hurricanes.
Threat Assessment - Manmade
A manmade threat is a threat that does not exist naturally but is a result of human actions, whether intentional or unintentional. Examples of manmade threats would be a virus, fire, theft, vandalism, or sabotage.
Threat Assessment - Internal vs. External
It is important to note that threats can be either internal or external. An internal threat comes from someone inside the organization. This could be a threat such as a disgruntled employee intentionally deleting customer data, or an employee accidentally deleting a file. You need to protect from both types of threats. An external threat comes from outside the organization and could be, for example, someone on the Internet trying to hack into your mail server or your web site.
Risk Assessment
A risk assessment is a popular type of assessment used by many aspects of security such as business continuity planning. Risk assessment is also known as risk analysis and deals with identifying the risks to assets within the organization and then finding solutions to minimize those risks
Risk Assessment - SLE
Single loss expectancy (SLE), which is a dollar figure representing how much money the company will lose each time the threat occurs. The following is the formula for single loss expectancy:
SLE = Asset Value ($) × EF (%)
For example, let’s say that you decide the e-commerce web site has a value of $200,000, and each time the web server has a hard drive failure, you lose 8 percent of the asset value. This means that your single loss expectancy is $200,000 × .08, which is $16,000. Therefore, every time the hard drive fails in the server, your business loses $16,000!
Risk Assessment - ALE
Once you have calculated the single loss expectancy, you can work on calculating the annual loss expectancy (ALE), which is a calculation of how much money you will lose per year with each of the threats. The formula to calculate the annual loss expectancy is to take the single loss expectancy and multiply it by the annual rate of occurrence (ARO). The annual rate of occurrence is how many times a year you expect the threat to occur.
ALE = SLE × ARO
For example, you may expect a threat to occur three times a year or to occur once every five years. The following example calculates the ALE for our hard drive failure threat if it were to occur three times a year:
ALE = $16,000 × 3
This means that the ALE based on the hard drive failing three times a year would cost the company $48,000. You need to make sure that the solution you implement to protect from hard drive failure does not cost more than $48,000 a year.
Risk Assessment - ARO
The annual rate of occurrence is how many times a year you expect the threat to occur
Risk Assessment - Asset Value
Bonus: Exposure Factor (EF)
The asset value identifies the worth of the asset to the organization. It can be a specific monetary value or subjective value, such as Low, Medium, and High. The asset value helps an organization focus on the high-value assets and avoid wasting time on low-value assets.
One of the ways to assess the value of the asset is to determine, e.g, that your e-commerce web site brings in
thousands of dollars a day of revenue—this will help you calculate the value of the asset.
Once you know the value of the asset, you then must determine the impact that each threat to the asset would have. With quantitative analysis, the impact is specified as an exposure factor (EF)—which is the percentage of the asset’s value you expect to lose if the threat occurs.
Risk Assessment - Risk Register
A risk register is a tool that is used to plot description of the different threats, along with their impact and probability. The tool could be something as simple as a spreadsheet listing the details of the risk along with the impact and probability, or it could be a third-party software application. The risk register typically plots the category the risk applies to, a description of the threat, the impact (maybe a number from 1 to 5), the probability (again, maybe a number from 1 to 5), the risk score (impact multiplied by probability), and the mitigation steps. The risk score helps you prioritize the threats.
Risk Assessment - Likelihood of Occurrence
Once you have identified all of the threats that could occur against each asset, you must prioritize the threats based on their impact and probability of occurring (also known as the likelihood of occurrence) so that you can deal with the more serious threats first.
Risk Assessment - Supply Chain Assessment
Supply chain encompasses the resources and processes that are needed to get a company’s product or service from its parts suppliers, through manufacturing, to its customer’s doorstep. Numerous components are involved in the supply chain, from obtaining the raw materials, to the manufacturing process, to the personnel to package and deliver the product. Supply chain assessment involves identifying any risks within this supply chain and mitigating those risks. For example, the assessment might evaluate what to do if there is a shortage of raw materials or if there is a fire at the manufacturing plant. All such threats could present a risk to your business.
Risk Assessment - Impact
The goal of impact analysis is to identify what the result of the threat occurring would be on the business. For example, if the company’s e-commerce web site has a denial of service attack performed against it, then the impact is that the server could be down for days, resulting in lost revenue.
Risk Assessment - Quantitative
Quantitative is associating a cost in dollars and cents with each risk. With quantitative analysis, the resulting cost of the threat helps determine how much you should invest in a security solution to protect the asset.
Risk Assessment - Qualitative
Qualitative is assigning a value based on a scale to the threat and not worrying about calculating the dollar figure associated with the risk
Qualitative risk analysis has the benefit of being a very quick assessment type because you are not bogged down with figuring out financial figures—you are simply applying values based on a scale you create.
The formula is that risk is equal to the probability multiplied by the loss (also known as the impact):
Risk = Probability × Loss
