Section 9: Risk Management

types of risk analysis

1. qualitative: categorical and scales (likelihood)

2. quantitative: numeric values

risk assessment frequency

how often the risk assessment process is conducted within an organization

4 main types of risk assessment frequencies

1. ad-hoc

2. recurring

3. one-time

4. continuous

ad-hoc risk assessment

conducted as and when needed, often is response to a specific event or situation that has the potential to introduce new risks or change the nature of existing risks

recurring risk assessment

conducted at regular intervals

• annually, quarterly, monthly

• ex. pen test

one-time risk assessment

conducted one time for a specific purpose

ex. implementing a new system

one-time vs ad-hoc risk assessment

specific project one time vs specific event and may be repeat

continuous risk assessment

ongoing monitoring and evaluation of risks

• real time data collection and analysis

business impact analysis (BIA)

evaluating the potential effects of disruption to an organization’s business functions and processes

key metrics in BIA

1. recovery time objective (RTO)

2. recovery point objective (RPO)

3. mean time to repair (MTTR)

4. mean time between failures (MTBF)

recovery time objective (RTO)

represents the max acceptable length of time that can elapse before the lack of a business function severely impacts the organization

recovery point objective (RPO)

the max acceptable amount of data loss measured in time

• can tolerate data loss for x amount of hours, mins,…

mean time to repair (MTTR)

the average time required to repair a failed component or system

mean time between failures (MTBF)

average time between failures

risk register (risk log)

records identified risks, descriptions, impacts, likelihoods, and mitigation actions

risk tolerance/acceptance

an organization or individual’s willingness to deal with uncertainty in pursuit of their goals

• max amount of risk they are willing to accept

risk appetite

willingness to pursue or retain risk

types of risk appetite

1. expansionary

2. conservative

3. neutral

expansionary risk appetite

organizations is open to taking more risk in the hopes of achieving greater returns

• agressive growth driven

conservative risk appetite

organization favors less risk, even if it leads to lower returns

• stability driven

neutral risk appetite

balance between risk and return

key risk indicators (KRI)

predictive metrics used by organizations to signal rising risk levels in different parts of the enterprise

key components of quantitative risk assesment

1. single loss expectancy (SLE)

2. annualized rate of occurrence (ARO)

3. annualized loss of expectancy (ALE)

4. exposure factor (EF)

exposure factor (EF)

proportion of an asset that is lost in an event

• 0% (no loss)

• 100% (total loss)

• ex. flood causes loss of 70% of assets → EF = 70%

single loss expectancy (SLE)

monetary value expected to be lost in a single event

• SLE = $ value of assets * EF

annualized rate of occurrence (ARO)

estimated frequency with which a threat is expected to occur within a year

annualized loss expectancy (ALE)

expected annual loss from a risk

• SLE * ARO

primary risk management strategies

1. transference (sharing): shift risk to another party

2. acceptance: acknowledge and deal w/ risk if it occurs

3. avoidance: change plans/strategies to eliminate a specific risk

4. mitigation: steps to reduce likelihood/impact of risk

contract indemnity clause

transference strategy involving a contract agreement where one party agrees to cover the other’s harm, liability, or loss stemming from the contract

exemption

acceptance strategy that grants and exception from a specific rule or requirement

exception

acceptance strategy that permits a party to bypass a rule or requirement in certain situations

residual risk

the likelihood and impact of the risk after mitigation, transference, or accepatace measures have been taken on the intial risk

control risk

assessment of how a security measure has lost effictiveness over time