Risk Management Flashcards
Risk
Risk = Threat * Vulnerability
Risk Assessment.
Quantitative and Qualitative Risk Analysis.
• Uncertainty analysis.
• Everything is done using cost-benefit analysis.
• Risk Mitigation/Risk Transference/Risk Acceptance/Risk Avoidance.
• Risk Rejection is NEVER acceptable.
• We assess the current countermeasures.
• Are they good enough?
• Do we need to improve on them?
• Do we need to implement entirely new countermeasures?
Qualitative Risk Analysis
How likely is it to happen and how bad is it if it happens?
Think “quality.” This concept is semi-vague, e.g., “pretty good quality. “
Quantitative Risk Analysis
What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
Think “quantity.” How many; a specific number
Threat
A potentially harmful incident (Tsunami, Earthquake, Virus, … )
Vulnerability
A weakness that can allow the Threat to do harm. Having a data center in the tsunami flood area, not earthquake resistant, not applying patches and anti-virus, …
Impact
Can at times be added to give a fuller picture. Risk = Threat x Vulnerability x Impact (How bad is it?).
Total Risk
Threat x Vulnerability x Asset Value.
Residual Risk
Total Risk – Countermeasures
PII/PHI
PII (Personally identifiable information) and PHI (Protected Health information) and handle them securely
Asset Value (AV)
How much is the asset worth?
Exposure factor (EF)
Percentage of Asset lost?
Single Loss Expectancy (SLE)
(AV x EF) – What does it cost if it happens once?
Annual Rate of Occurrence (ARO)
How often will this happen each year?
Annualized Loss Expectancy (ALE)
This is what it costs per year if we do nothing.
