Risk is related with vulnerabilities, which threaten confidentiality (C), integrity (I), and availability (A) of the assets. This is described as the CIA Triad. Show
Quantitative AnalysisQuantitative analysis is about assigning monetary values to risk components. Let’s analyze the example of hard drive failure to better understand how it works.
The asset is data. The value of the asset (AV) is assessed first—$100,000, for example. Cost/Benefit AnalysisLet’s continue the example from the previous section. Annualized loss expectancy (ALE) is $15,000. This means that the potential loss is $15,000 in one year, when the data is lost as a result of the hard drive failure. A countermeasure can be used to reduce the potential loss. It happens when the management decides to reduce the risk. This countermeasure should not cost more than $15,000 per year. Otherwise it wouldn’t be logical from a business point of view (we don’t want to spend more money than we can potentially lose). This is basically how cost/benefit analysis works. Risk HandlingRisk can be handled in the following ways:
CountermeasuresLet’s discuss the types of countermeasures (also called controls) that are implemented in the case of risk reduction. There are three types of countermeasures:
Countermeasures are implemented to reduce the risk. We talk about total risk when no countermeasure is implemented. Let’s assume now that the countermeasure is implemented. Perfect security doesn’t exist and there is some risk left. This is a residual risk. An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending $10,000 per year on a security measure which will eliminate it. One thing to remember when using the ALE value is that, when the Annualized Rate of Occurrance is of the order of one loss per year, there can be considerable variance in the actual loss. For example, suppose the ARO is 0.5 and the SLE is $10,000. The Annualized Loss Expectancy is then $5,000, a figure we may be comfortable with. Using the Poisson Distribution we can calculate the probability of a specific number of losses occurring in a given year: Number of Lossesin YearProbabilityAnnual Loss00.6065$010.3033$10,00020.0758$20,000≥30.0144≥$30,000 We can see from this table that the probability of a loss of $20,000 is 0.0758, and that the probability of losses being $30,000 or more is approximately 0.0144. Depending upon our tolerance to risk and our organization's ability to withstand higher value losses, we may consider that a security measure which costs $10,000 per year to implement is worthwhile, even though it is more than the expected losses due to the threat. Which type of risk analysis computes an annual loss expectancy?Quantitative risk analysis is an objective approach that uses hard numbers to assess the likelihood and impact of risks. The process involves calculating metrics, such as annual loss expectancy, to help you determine whether a given risk mitigation effort is worth the investment.
What are the factors we use to calculate annual loss expectancy?The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the exposure factor (EF) times the annualized rate of occurrence (ARO). This is the longer form of the formula ALE = SLE x ARO.
What are the 3 types of analyzing risk?Types of risk analysis included in quantitative risk analysis are business impact analysis (BIA), failure mode and effects analysis (FMEA), and risk benefit analysis.
Which method is used for risk analysis?There are two main types of risk analysis, qualitative and quantitative risk analysis. Let's learn about these two approaches.
|