Risk Analysis - CompTIA Security+ SY0-701 - 5.2

Qualitative Risk Assessment

• Identify significant risk factors

• Ask opinions about the significance

• Display visually with traffic light grid

or similar method

Quantitative Risk Assessment

ARO (Annualized Rate of Occurrence)

- How likely is it that a hurricane will hit? In Montana? In Florida?

Asset Value (AV)

- The value of the asset to the organization

- Includes the cost of the asset, the effect on company sales, potential regulatory fines, etc

Exposure factor (EF)

- The percentage of the value lost due to an incident

- Losing a quarter of the value is .25

- Losing the entire asset is 1.0

SLE (Single Loss Expectancy)

- What is the monetary loss if a single event occurs?

- Asset value (AV) x Exposure factor (EF)

- Laptop stolen = $1000 (AV) x 1.0 (EF) = $1000 (SLE)

ALE (Annualized Loss Expectancy)

- Annualized Rate of Occurence (ARO) x SLE

- Seven laptops stolen a year (ARO) x $1000 (SLE) = $7000

The business impact can be more than monetary

- Quantitative vs qualitative

Impact

Life

- The most important consideration

Property

- The risk to building and assets

Safety

- Some environments are too dangerous to work

Finance

- the resulting financial cost

Likelihood and probability

• Risk likelihood

- A qualitative measurement of risk

- Rare, possible, almost certain, etc.

• Risk probability

- A quantitative measurement of risk

- A statistical measurement

- Can be based on historical performance

• Often considered similar in scope

- Can be used interchangeably in casual

conversation

Risk appetite and tolerance

Risk appetite

-A broad description of risk-taking deemed acceptable

-The amount of accepted risk before taking any action to reduce that risk

Risk appetite posture

-Qualitative description for readiness to take risk

-Conservative, neutral, and expansionary

Risk tolerance

-An acceptable variance (usually larger) from the risk appetite

EX: A highways speed limit

- Government authorities have set the speed limit

- The limit is an acceptable balance between safety and convenience

Risk tolerance

- Drivers will be ticketed when the speed limit is violated

- Ticketing usually occurs well above the posted limit

- This tolerance can change with road conditions, weather, traffic, etc

Risk register

Every project has a plan, but also has risk

- Identify and document the risk associated with each step

- Apply possible solutions to the identified risks

- Monitor the results

Key risk indicators

- Identify risks that could impact the org

Risk owners

- Each indicator is assigned someone to manage the risk

Risk threshold

- The cost of mitigation is at least equal to the value gained by mitigation