risk_analysis

Risk Analysis

This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

1/8

1/10

Back

Restart

A risk analysis determines possible vulnerabilities and threats, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed by using a quantitative method or a qualitative method. Quantitative risk analysis involves calculations to assign a value to a potential vulnerability or threat. This option works best when dealing with tangible assets. Qualitative risk analysis assigns a level used to prioritize potential risk so organizations can take a logical approach to address the most critical threats. This method works best for intangible assets.

2/10

Tangible

Introduction

Intangible

Company Reputation

RISK

Accounts Receivable

Intellectual Property

Buildings

Inventory

Computer

Quantitative

3/10

Qualitative

Assessment Methods

Click each type of analysis method for more information.

Quantitative risk analysis is the process of objectively determining the impact of an event by using metrics and models. A quantitative analysis relies on historical information and trends to predict future performance, so it depends on historical data. The result of a quantitative risk analysis is a value.

ALE

SLE

6/10

Once every 5 years

$1,200

Twice a year

$240

Let’s Examine these threats: damage by an employee dropping a laptop, a malware attack, and device theft.

Each laptop costs $1,000.

0.2

$1,000 + $200 = $1,200 Total AV

Element with Audio HTML

Plus $200 for installation and configuration!

100% (1.0)

Rate of Occurrence

Threat Event

ABC Company owns 65 laptops. Each laptop cost $1,200. You will base your calculations on the value of one laptop. The team identified three threats. Based on internal data, calculate the ARO, and ALE given the information provided.

$600

60% (0.6)

Theft of Equipment

$144

20% (0.2)

ARO

Damage by Dropping

Total ALE for All Threats:

Risk Analysis Calculation Challenge Laptop

Malware

Once every 2 years

An intangible cost that includes loss of proprietary information or processes or loss of business reputation.

Purchase price: $20,000

Public Value

The asset value is the total expenditure it takes to replace an asset. Click on each of the elements used to determine the value of an asset, a corporate web site.

4/10

A dollar value that includes purchasing, licensing, or developing along with maintenance and support costs

Cost to create web site: $40,000

An intangible value that is more difficult to calculate since it may include the cost of creating, acquiring, and re-creating information, and the business impact or loss if the information is lost or compromised. It can also include liability costs associated with privacy issues, personal injury, and death.

Initial Costs

Organizational Value

Reputable web site: $75,000

Calculating the annualized loss expectancy (ALE) is a common method to estimate the decrease in value or capability of an asset after an adverse event occurs. Click on each step in the process to learn what goes into calculating an ALE.

90%

20%

100%

30%

40%

Percent of Asset Value

50%

Exposure factor is expressed as a percentage (or decimal equivalent) loss of an asset if a specific threat or vulnerability is realized. The exposure factor is a subjective value. If the asset is completely lost, the exposure factor would be 100% or 1. Drag the arrow to change the exposure factor.

60%

10%

70%

80%

Single Loss Expectancy (SLE)

Exposure Factor (EF)

Annualized Loss Expectancy (ALE)

Asset Value (AV)

Annualized Rate of Occurrence (ARO)

Asset Value = $135,000

Ransomware Attack

135,000 x .2 = $27,000

Calculate the SLE by taking the asset value and multiplying it by the exposure factor. The result is the dollar loss that you expect due to the occurrence of a single event. A single asset can have multiple potential threats or vulnerabilities, and a single loss expectancy can be calculated for each occurrence. Click each to see the resulting single loss expectancy

A Denial-of-Service Attack

135,000 x .5 = $67,500

Total asset loss

Hard Drive Failure

The annualized rate of occurrence is a measure of how often an event occurs in a single year. If an event occurs four times in a calendar year, the ARO is 4. ARO is always expressed in an annual rating even if an incident occurs and is recorded in other time measures. Click each scenario to see the rate of occurrence

Scenario 2 20 Calendar Years

Scenario 3 30 Months

Scenario 1 1 Calendar Year

Scenario 1 – One Calendar Year

The ACME facility experiences a power disruption 4 times a year. The ARO in this scenario would equal 4

Scenario 2 - Twenty Calendar Years

The ACME facility experiences a natural disaster like a fire or earthquake once every twenty years. The ARO in this scenario would equal 1 / 20 = 0.05

According to the manufacturer, the life expectancy of the drives used in the ACME is 30 months. This means the drive failure ARO is equal to 12 / 30 = 0.4.

Scenario 3 - 30 Months

Power Outage

(SLE = $50,000) (ARO = 0.5)

(SLE = $5,000) (ARO = 2.5)

$42,500

Equipment Failure

(SLE = $10,000) (ARO = 0.5)

ALE

To calculate the annualized loss expectancy (ALE), take the single loss expectancy and multiply it by the annualized rate of occurrence (ARO). Click each part of the equation below.

$25,000

$12,500

$5,000

Hacking Attack

A qualitative analysis compares the impact of a threat with the probability of its occurrence and uses labels such as low, medium, or high. The impact of an event is a measure of the loss when a threat exploits a vulnerability. The probability is the chance that the threat event will occur. Click each EVENT for more information.

PROBABILITY OF OCCURRENCE

5/10

RISK IMPACT

EVENT 3

MATRIX 1

EVENT 2

EVENT 5

EVENT 1

EVENT 4

MATRIX 2

Event 1: The web server experiences a hard drive failure

Loss of revenue

Loss of reputation

Loss of customers

DDoS

Event 2: A denial-of-service attack launches against the web server

Event 3: Fire in the server room

Event 4: Credit card data stolen

Event 5: Tornado

Moderate

High

Moderate

Very High

Probability

Possible

Impact

Severe

Minor

Major

Rare

Severe

A risk matrix is a tool that helps you prioritize risks to determine which ones the organization needs to develop a response for. You may have five risks identified, but not all of them will be weighted as a top priority.

Major

Server room fire

Tornado

Unlikely

Denial-of-service

Very Low

Highly Probable

Probable

Low

Credit card data stolen

Hard-drive failure

Medium

5 Highly Probable

6 Moderate

4 Moderate

4 Probable

3 Minor

15 Major

16 Major

Impact x Probability = Risk Score

25 Severe

10 Credit card data stolen

3 Medium

9 Moderate

2 Minor

4 Server room fire

1 Rare

You can make a qualitative analysis more objective by assigning numeric values to the matrix. This allows management to focus on the risk areas with the greatest potential impact by calculating a risk score.

12 Major

8 Moderate

5 Moderate

4 Moderate

2 Unlikely

1 Very Low

15 Hard-drive failure

5 Moderate

20 Severe

6 Denial-of-service

4 High

12 Major

10 Major

1 Minor

3 Possible

2 Low

2 Tornado

6 Moderate

5 Very High

2 Minor

Once every 8 years

Drive Failure

DOS/DDOS Attack

$250,000

Total asset value is $250,000

10% (0.1)

The identified threats are device failure, power outage, and denial-of-service attacks.

We need to determine the SLE, ARO and ALE

Total ALE for All Threats:

Risk Analysis Calculation Challenge SAN System

Twice a year

Power Outage

$200,000 + $25,000 + $25,000 = $250,000 Total AV

The ABC Company is performing a risk analysis for its storage area network. The total asset value is $250,000. The team identified the three threats shown in the table. Manufacturer’s data and company records provided the data given in the table. Enter the missing values in the table.

5% (0.05)

7/10

Configuration Mistakes

Once every 18 months

40% (0.4)

$18,000 + $2,000 = $20,000 Total AV

Risk Analysis Calculation Challenge Server

$3,000

Total ALE for All Threats:

Theft of Information

8/10

Once every 4 years

.25

ABC Company spent $18,000 on a database server. Configuration and installation totaled $2,000. Complete the risk analysis challenge table based on the four threats identified by the team at ABC.

15% (0.15)

The database server has a purchase price of $18,000 plus $2,000 for configuration

Device Failure

$666

5% (0.05)

$4,000

.66

Once a month

1% (0.01)

The threats include device failure, power outage, denial-of-service attack, information theft, and misconfiguration

$20,000

Let’s examine these threats: theft, equipment failure, ransomware and a data breach

Risk Analysis Calculation Challenge Point-of-Sale System

P-O-S system cost $10,000 and another 5,000 to Install and configure.

9/10

$1,500

Equipment Failure

$6,000

Data Breach

Ransomware

Total ALE for All Threats:

ABC Company spent $10,000 on their remote point-of-sale system. Configuration and installation totaled $5,000. Complete the table based on the four threats identified by the team at ABC.

Once every 10 years

40% (0.4)

Risk Analysis Calculation Challenge Private Cloud Facility

The cloud Facility cost $500K and another 450K to program plus 50K to install.

10/10

Total ALE for All Threats:

Once every 20 years

50% (0.5)

$100,000

The threats identified include a power outage, DoS/DDoS, data breach and a flood.

$200,000

Flood

ABC Company spent $500,000 on the development and purchase of a private cloud facility. Configuration and installation totaled $50,000 and the programming and application development cost another $450,000. Complete the Risk analysis Challenge table based on the four threats identified by the team at ABC.