All information technology systems have risk, which in turn creates a responsibility for upper management to mitigate that risk. The process that we must exercise is called due care. Due care is using reasonable care to protect the interests of an organization. To exercise due care, an organization must complete an accurate and detailed risk assessment and analysis report. This report is typically completed by security professionals or an evaluation team but all risk assessments, results, decisions, and outcomes must be understood and approved by upper management.
An organization that has zero risk does not exist. It only exist if there is no service or infrastructure being provided. In other words, if your organization has any form of functionality, there is risk.
It is the responsibility to upper management to decide which risks are acceptable and which are not. Risk assessment and analysis is not all about being 100% secure – 100% of the time. It’s not even about preventing attacks. It’s not about never being breached. It’s all about visibility.
Organization should have 100% visibility of all that is going on in the information systems to have timely detection.
The first step an organization should take is to identify all threats that exist to the organization and its related risk. There are two main risk assessment methodologies:
- Quantitative (assigns real dollar figures to the loss off an asset)
- Qualitative (assigns subjective and intangible values to the loss of an asset)
Quantitative Risk Analysis
The quantitative method results in concrete probability percentages. Essentially, this means that the final report will include dollar monetary figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards.
Six Steps for Quantitative Risk Analysis
- Inventory assets and assign them a monetary value.
-> Terminology used: Asset Value (AV)
- Research each asset and produce a list of all possible threats of each individual asset. For each threat , calculate the Exposure Factor and Single Loss Expectancy.
-> Terminology used: Exposure Factor (EF) and Single Loss Expectancy (SLE)
- Perform a threat analysis to calculate the likelihood of each threat being realized within a single year.
-> Terminology used: Annualized Rate of Occurrence (ARO)
- Derive the overall loss potential per threat by calculating the changes to Annualized Loss Expectancy.
-> Terminology Used: Annualized Loss Expectancy (ALE)
- Research countermeasures for each threat, and then calculate the changes to the Annualized Rate of Occurance (ARO) and Annualized Loss Expectancy (ALE) based on an applied countermeasure.
- Perform a cost/beneift analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
There are many acronyms used when dealing with risk assessment and analysis. DO NOT let them overwhelm you, we will break down what each mean to help better understand them. A simple way to remember them is by knowing that they are used in chronological order when conducting a risk assessment/analysis report.
(1) Assign Asset Value (AV) ->
(2) Calculate Exposure Factor (EF) ->
(3) Calculate Single Loss Expectancy (SLE) ->
(4) Access the Annualized Rate of Occurance (ARO) ->
(5) Derive the Annualized Loss Expectancy (ALE) ->
(6) Perform cost/benefit analysis of countermeasures
Asset Value (AV):
Asset valuation is a monetary value assigned to an asset that are based on actual cost and non monetary expenses. These can include costs such as costs to develop, maintain, administer, support, repair, etc..
Exposure Factor (EV):
The Exposure Factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. EF is expressed as just a percentage.
An example of this would be the Exposure Factor percentage would be low if a receptionist computer was damaged by water since that computer can be readily replaced with a new one. On the other hand, the Exposure Factor percentage would be much higher if irreplaceable assets are stolen or things such as proprietary designs to a company.
Single Loss Expectancy (SLE):
The Single Loss Expectancy indicated the exact amount of loss an organization would experience if an asset were harmed by a specific threat occurring. In order to calculate the Single Loss Expectancy, the Exposure Factor(EF) and Asset Value(AV) are needed for that asset.
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)
SLE = AV * EF
A manufacturing company has one metal 3D printer they use to create brackets for their cabinet products. That metal 3D printer has an asset value of $100,000. The Exposure Factor (EF) of the 3D printer would be relatively high in this case since the company needs the brackets for final assembly of the cabinets. Although it wouldn’t completely stop operations, it would stop final assembly if the 3D printer happened to break. In this case, we could classify the 3D printer with a high Exposure Factor (EF) of 80%.
SLE = AV * EF
SLE = $100,000 * .80
$80,000 would be the Single Loss Expectancy of the 3D printer.
Annualized Rate of Occurrence (ARO):
The Annualized Rate of Occurance (ARO) is the expected frequency with which a specific threat or risk will occur within a single year. This number can range from zero (0), which means the threat will never occur, to a large number, meaning that the threat is very likely.
To calculate the ARO, organizations typically fall on historical data to come up with an educated guess. If not historical data can be found, organizations can fall on statistical analysis on the specific threat. For example, the Annualized Rate of Occurrence of an earthquake in California can be labeled as .05 for the ARO.
Annualized Loss Expectancy (ALE):
The Annualized Loss Expectancy is the possible yearly costs associated with threats against assets.
ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)
ALE= SLE * ARO
Calculating specific numbers for each individual asset in an organization can be very time consuming. Fortunately, there is specialized software available that can simplify and automate most of the work.
Quantitative Risk Analysis Formulas:
|Exposure Factor (EF)||%|
|Asset Value (AV)||$|
|Single Loss Expectancy (SLE)||SLE = AV * EF|
|Annualized Rate of Occurrence (ARO)||# / year|
|Annualized Loss Expectancy (ALE)||ALE = SLE * ARO|
|Annual Cost of Safeguard (ACS)||$ / year|
|Value or benefit of safeguard||(ALE1 – ALE2) – ACS|
Qualitative Risk Analysis
Unlike quantitive risk analysis, which is based on numerical figures, qualitative risk analysis is more scenario based. The overall goal of qualitative risk analysis is to rank threats on a scale to evaluate their risks, costs, and efforts.
The types of techniques used for qualitative risk analysis will depend on the organization and types of risk and assets involved.
Examples of techniques used to perform qualitative risk analysis include:
- Delphi technique
- Focus groups
- One-on-one meetings
Qualitative vs. Quantitative: Summary
|Employs complex functions||No||Yes|
|Uses cost/benefit analysis||No||Yes|
|Results in specific values||No||Yes|
|Involves a high volume of information||No||Yes|
|Requires significant time and effort||No||Yes|
|Offers useful and meaningful results||Yes||Yes|
The final results produced from both of these analysis will provide the organization with:
- A complete and detailed valuation of all assets
- List of threats and risks, rate of occurance, and extent of loss
- List of specific safeguards and countermeasures that identify their effectiveness and ALE
- A cost/benefit analysis of each safeguard
- Detailed information for upper management to make better decisions on whether risks will be: reduced/mitigated, assigned, transferred, accepted, deterred, avoided, rejected, or ignored
Threats and vulnerabilities constantly change, thus risk analysis should be done periodically in order to provide continuous monitoring for improvements within the organization.
There are various risk frameworks that exist today that can help an organization better manage risk. One of the most popular is the Risk Management Framework, also know as RMF.