Risk Analysis
Risk analysis helps align security objectives with business objectives. It is a process that deals with the calculation of risk and the return on investment for security measures. By identifying risks, estimating the effects of potential threats, and identifying ways to mitigate these risks in a cost effective manner, organizations can ensure that the cost of prevention does not outweigh the benefits.
The risk analysis process involves several key steps to assess and manage risk effectively:
Identify threats: Recognize potential threats that could exploit vulnerabilities.
Identify vulnerabilities: Determine weaknesses within the system that could be exploited by threats.
Determine the likelihood of occurrence: Evaluate how probable it is for a threat to occur and exploit a vulnerability.
Determine the magnitude of impact: Assess the potential severity of the damage or loss if a threat materializes.
Determine the risk: Calculate the level of risk using the simple equation Risk = Threat × Vulnerability × Impact.
This process helps in understanding the complex relationship between threats, vulnerabilities, and their potential impacts, emphasizing the importance of assessing the likelihood that a threat will actually occur.
After identifying and assessing risks, it’s important that you categorize and prioritize them based on their likelihood of occurrence and potential impact. This prioritization helps in formulating appropriate response strategies:
High-level threats may necessitate immediate corrective measures.
Medium-level threats might require developing an action plan for reasonable implementation.
Low-level threats could be dealt with as feasible or might be accepted as part of the organization’s risk threshold.
The assessment of impact alongside risk likelihood is needed to understand the potential consequences of risk events.
Qualitative Risk Analysis
Qualitative risk analysis is a subjective approach that assesses risks based on non-numeric criteria. It involves using techniques such as brainstorming, focus groups, and surveys to gauge the significance of different risks and their impact. This method allows for a relative projection of risk for each threat, using a risk matrix or heat map to visualize the probability (from very low to very high) and impact (from very low to very high) of potential risks.
To facilitate this assessment, Table 24.1 provides a risk matrix that can help you understand the level of risk as either low, medium, or high for both likelihood and impact. The table organizes risk levels based on a combination of likelihood scores, ranging from very low to very high, and levels of impact, ranging from very low to very high, resulting in the assignment of an overall risk level.
TABLE 24.1 Level of Risk Based on Likelihood and Impact
Likelihood |
Level of Impact |
||||
---|---|---|---|---|---|
|
Very Low |
Low |
Moderate |
High |
Very High |
Very High |
Medium |
High |
High |
High |
High |
High |
Low |
Medium |
High |
High |
High |
Moderate |
Low |
Medium |
Medium |
High |
High |
Low |
Low |
Low |
Medium |
Medium |
High |
Very Low |
Low |
Low |
Low |
Low |
Medium |
The preceding matrix underscores the principle that risk is not just about the potential for a threat to occur but also about the significance of its impact. By categorizing risks into these levels, organizations can prioritize their risk management efforts more effectively, focusing on mitigating the most important risks first.
Despite its subjective nature, and the need for expert judgment, qualitative analysis provides essential insights into risk prioritization, especially when quantitative data is unavailable.
Quantitative Risk Analysis
Quantitative risk analysis offers an objective means to evaluate risk, assigning numerical values to the potential loss and the likelihood of risk occurrence. This method calculates the degree of risk based on the estimation of potential losses and the quantification of unwanted events, utilizing concepts such as single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).
Quantitative analysis provides clear measures of relative risk and expected return on investment, making it easier for senior management to comprehend and make informed decisions. However, it requires significant effort and time to collect and analyze all related data, making it more labor-intensive than qualitative analysis. Furthermore, qualitative measures tend to be less precise, more subjective, and more difficult in assigning direct costs for measuring return on investment (ROI) and rate of return on investment (RROI).
Because a quantitative assessment is less subjective than a qualitative one, the process requires that a value be assigned to each of the various components. To perform a quantitative risk assessment, an estimation of potential losses is calculated. Next, the likelihood of some unwanted event is quantified, based on the threat analysis. Finally, depending on the potential loss and likelihood, the quantitative process arrives at the degree of risk. Each step relies on the concepts of single loss expectancy, annual rate of occurrence, and annual loss expectancy.
Single Loss Expectancy
Single loss expectancy (SLE) is the expected monetary loss every time a risk occurs. SLE equals asset value multiplied by the threat exposure factor, which is the percentage of the asset lost in a successful attack. The formula looks like this:
Asset Value × Exposure Factor = SLE
Consider an example of SLE using denial-of-service (DoS) attacks. Firewall logs indicate that the organization was hit hard one time per month by DoS attacks in each of the past 6 months. You can use this historical data to estimate that you likely will be hit 12 times per year. This information helps you calculate the SLE and the ALE. (The ALE is explained in greater detail shortly.)
An asset is any resource that has value and must be protected. Determining an asset’s value can most mean determining the cost to replace the asset if it is lost. Simple property examples fit well here, but figuring asset value is not always so straightforward. Other considerations could be necessary, including the value of the asset to adversaries, the value of the asset to the organization’s mission, and the liability issues that would arise if the asset were compromised.
The exposure factor is the percentage of loss that a realized threat could have on a certain asset. In the DoS example, imagine that 25% of business would be lost if a DoS attack succeeded. The daily sales from the website are $100,000, so the SLE would be $25,000 (SLE = $100,000 × 0.25). The possibility of certain threats is greater than that of others. Historical data presents the best method of estimating these possibilities.
Annual Rate of Occurrence
The annual rate of occurrence (ARO) is the estimated possibility of a specific threat taking place in a 1-year time frame. The possible range of frequency values is from 0.0 (the threat is not expected to occur) to some number whose magnitude depends on the type and population of threat sources. When the probability that a DoS attack will occur is 50%, the ARO is 0.5. After you calculate the SLE, you can calculate the ALE, which gives you the probability of an event happening over a single year.
Annual Loss Expectancy
The annual loss expectancy (ALE) is the monetary loss that can be expected for an asset from risk over a 1-year period. ALE equals SLE times ARO:
ALE = SLE × ARO
ALE can be used directly in a cost/benefit analysis. Going back to our earlier example, if the SLE is estimated at $25,000 and the ARO is 0.5, the ALE is $12,500 ($25,000 × 0.5 = $12,500). In this case, spending more than $12,500 to mitigate risk might not be prudent because the cost would outweigh the risk.