Monday, October 19, 2015

Sec+ - Identifying Risk

It is not possible to eliminate risk, but you can take steps to manage it. An
organization can avoid a risk by not providing a service or not participating in
a risky activity. Insurance transfers the risk to another entity. You can
mitigate risk by implementing controls, but when the cost of the controls
exceeds the cost of the risk, an organization accepts the remaining, or
residual risk.

A risk assessment is a pointin-time assessment, or a snapshot. In other words, it assesses the risks based on current conditions, such as current threats, vulnerabilities, and existing controls.

Risk assessments use quantitative measurements or qualitative measurements. Quantitative
measurements use numbers, such as a monetary figure representing cost and asset values. Qualitative measurements use judgments.

Quantitative Risk Assessment

One quantitative model uses the following values to determine risks:
Single loss expectancy (SLE). The SLE is the cost of any single loss.
Annual rate of occurrence (ARO). The ARO indicates how many times the loss will occur
in a year. If the ARO is less than 1, the ARO is represented as a percentage. For example, if you anticipate the occurrence once every two years, the ARO is 50 percent or .5.
Annual loss expectancy (ALE). The ALE is the SLE × ARO.

Your company loss 1 laptop every month. one laptop costs $2000.
What is ALE?

Monthly Loss = 1
SLE = $2000
ARO = 1 Lap/month X 12 = 12
    = $2000 X 12 = $24000

If you buy locks, one time cost is $1000

If they steel 2 laptop a year after Lock, than

ARO = 2x$2000=$4000

Now total saving is $20,000 /yr

so spending 1000 on lock, total saving is $19,000

so it makes sense to purchase locks.

Managers use these two simple guidelines for most of these decisions:
- If the cost of the control is less than the savings, purchase it.
- If the cost of the control is greater than the savings, accept the risk.

If you plan to implement other methos such as biometrix and the total cost to implement is $30,000, it does not make sense to spend $6K more per year. But you can think of the sensitvity of data as welll. Analyze all factors.

A quantitative risk assessment uses specific monetary amounts to identify
cost and asset values. The SLE identifies the amount of each loss, the ARO
identifies the number of failures in a year, and the ALE identifies the
expected annual loss. You calculate the ALE as SLE × ARO. A qualitative
risk assessment uses judgment to categorize risks based on probability and

Qualitative Risk Assessment

You can think of quantitative as using a quantity or a number, whereas qualitative is related to quality, which is often a matter of judgment.

You need to calculate the ALE for a server. The value of the server is $3,000, but it has crashed 10 times in the past year. Each time it crashed, it resulted in a 10 percent loss. What is the ALE?

The annual loss expectancy (ALE) is $3,000. It is calculated as single loss expectancy (SLE) × annual rate of occurrence (ARO). The SLE is 10 percent of $3,000 ($300) and the ARO is 10. 10 × $300 is $3,000.


Your organization hosts a web site within a DMZ and the web site accesses a database server in
the internal network. ACLs on firewalls prevent any connections to the database server except from the web server. Database fields holding customer data are encrypted and all data in transit between the web site server and the database server are encrypted. The GREATEST risk to the data on the server is A SQL injection attack which allows an attacker to send commands to the database server to access data. Encryption protects it on the server and in transit, but the web server can decrypt it. 

No comments:

Post a Comment