What is the product of asset value AV and event frequency EF )?
Show
DescriptionRead this page and watch the video to learn more about the purpose of risk management and the four stages of the risk management process. Before you move on, make sure you have a good understanding of the formulas, and that you are able to use the formulas on this page to calculate single loss
expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE). Table of contents
IntroductionThe principle of risk includes three ideas: it examines an event, and then combines its probability with its potential impact. When examining risk two questions are always examined: what is the probability that a particular event will occur? And what negative impact would this event have if it actually occurred? Risk is measured by combining the results of these two questions. A high risk event would have both a high probability combined with a significant negative impact if it occurred. The concept of measuring risk must always be focused on the future. Lesson Objectives By the end of this lesson, you will be able to:
Source: National Information Security and Geospatial Technologies Consortium (NISGTC),
https://www.edjet.com/scorm-content/edjet-prod-uploads/1bbb6bd2940fd96497953e96a7011e315c141cf3/771aacefbe2ed9e16b17173a36b691df/story_content/WebObjects/6MLNkf2prXH/lesson02/index.html Key Terms
InstructionRisk ManagementRisk management is the process of identifying, assessing, and prioritizing organizational risk. Risk management also includes the creation of organizational processes to address loss exposures, monitor risk control and mitigate the impact of potential risk to the organization. Natural disasters, human error, accidents, legal liabilities, and deliberate attacks from an adversary all pose some degree of risk. This lesson will introduce the concepts and processes associated with risk management. Risk management and risk assessment are major components of Information Security Management (ISM). The ISO 27000 framework defines risk management as a process that includes four activities:
Risk management includes all of the related activities that an organization carries out in order to assess, evaluate and respond to organizational risk. Risk assessment is the process of analyzing risk. This can be performed using a quantitative or qualitative approach. One measures the actual financial impact, the other measures impact on the organization's operations and reputation. Figure 1 – Components of risk management Risk analysis uses information to identify possible sources of risk and identify threats or events that could have a harmful impact. Risk analysis also includes the implementation of controls that estimates the risk. A risk evaluation compares the estimated risk with a set of risk criteria. This is done in order to determine how significant the risk really is and helps to prioritize the risks. Risk response is the approach taken to mitigate the threat and reduce the risk impact. The video, Managing IT Risk: Trends in Global Information Security (12:55), discusses the most important challenges for IT professionals to mitigate the threats that organizations now face in a dynamic technology environment. The Risk Management ProcessThe risk management process consists of three stages:
Figure 2 – The risk management process Risk InventoryThe risk inventory is done to create a checklist of potential risks to evaluate the likelihood of occurrence. Some organizations develop risk checklists based on past experiences. These checklists can be helpful in building a more comprehensive list. Identifying the sources of risk by category is another method for exploring potential risk. Some examples of categories for potential risks include the following:
For example, a human factor risk would include the inability to find an employee with the skills needed to properly complete a task or protect resources. Risk Management Benefits and MotivationBesides identifying the risks facing an organization, a risk management program enables the organization to assess the impact risks can have on organization-wide performance and processes. Therefore, risk management not only provides risk evaluation, but can identify whether adequate controls are in place to mitigate risks effectively. The real benefit and motivation come down to cost. The process is designed to identify the optimal level of security at the minimum cost. It typically comes down to the cost of the countermeasure versus the cost of the security failure. Figure 3 – Cost versus security level trade – off At point A, the cost of security failure is high, while the level of security assurance is low. At point B, there is too much money being spent to provide security assurance. At point D, the cost of security failures is equal to the cost of the security measures. Point D is optimal since the cost of both failures and security measures are minimized and security assurance is maximized. Tangible and Intangible Asset ValuationAn "asset" is any resource, product, system, process, or any other organizational resource that has value to an organization. As such, all assets must be protected. Assets can be physical/tangible items, such as equipment or computers, and they can also be non-tangibles, such as information or intellectual property. Figure 4 – Tangible assets versus intangible assets Tangible AssetsTangible assets are those assets that have a physical presence. The risk analysis can identify a real value. These types of assets are valued based
on the original or replacement cost. These types of assets often depreciate to zero for accounting purposes. Common ways to calculate tangible assets would include:
Intangible Asset ValuationIntangible assets are not physical, but still represent value to the organization's image, its operations, and ability to compete in the marketplace. Intangible assets include:
Methods for Managing RiskRisks should be ranked based on financial or operational impact and likelihood of occurrence. The results of this assessment will align risk events in one of four risk response categories:
Figure 7 – Methods for managing risk Asset Valuation Example ReviewTo conduct an asset valuation, answer the following questions:
Quantitative Risk AnalysisThis type of risk analysis assigns independent, objective, numeric monetary values to the elements of risk assessment and the assessment of potential losses. EVERYTHING gets a dollar value! Standardized calculation of risk is based on the impact of each occurrence and frequency of occurrence. The overall approach to quantitative risk analysis is illustrated in Figure 8. Figure 8 – Quantitative risk analysis approach Single Loss Expectancy (SLE)SLE is the estimate of the amount of damage that an asset will suffer due to a single incident. Asset categories include people, facilities, equipment, materials, information, activities, and operations. Figure 9 – Single Loss Expectancy calculation The following formula is used to calculate the single loss expectancy:
Exposure Factor (EF) is expressed as a percentage of the asset value. If loss can be limited to one type, the impact on the asset by percentage of the asset value lost can be determined. Annual Rate of Occurrence (ARO)ARO is the number of times per year that an incident is likely to occur. Knowing the adversaries' intent, capability, and motivation will help determine the ARO. ARO = Incidents / Year Annualized Rate of Occurrence is number of incidents per year. Figure 10 – Annual rate of occurrence calculation Annual Loss Expectancy (ALE)ALE provides an estimate of the yearly financial impact to the organization from a particular risk. This helps determine how much money the organization is justified in spending on countermeasures in order to reduce the likelihood or impact of an incident.
Qualitative Risk AnalysisA qualitative risk analysis evaluates the impact or effect of threats on the business process or the goals of the organization and has the following characteristics:
A qualitative analysis is much more subjective. Members of the risk assessment team determine the overall security risk to assets. An asset value is still used in addition to the threat frequency, impact, and safeguard effectiveness. All of these elements, though, are measured in subjective terms such as high, low, or not likely. Although qualitative security risk equation variables are expressed as numerical values, these values are considered ordinal numbers which correspond to High > Medium > Low. There is no metric that determines a distance between categories. For example, Low is not twice as good as High. Tables are used as the "formula" for determining qualitative security risks, as shown in Figure 11. Figure 11 – Qualitative risk analysis matrix The team then defines each of the qualitative values for probability and impact. The values in the table are the result of multiplying the
probability value by the impact value. Read the article, Qualitative Risk Analysis and Assessment for more information. Risk MitigationRisk mitigation involves reducing the severity of the loss or the likelihood of the loss from occurring. There are many technical controls that can be used to mitigate risk including authentication systems, file permissions and firewalls. Organization and security professionals must understand that risk mitigation can have both positive and negative impact on the organization. Good risk mitigation finds a balance between negative impact of countermeasures and controls and the benefit of risk reduction. A shorter-term strategy is to accept the risk, in the sense of accepting the necessity for creating contingency plans for that risk. Modern software development methodologies reduce risk by developing and delivering software incrementally and providing regular updates and patches to address vulnerabilities and misconfigurations. Outsourcing services can be an example of risk reduction. Hiring specialists to perform critical tasks to reduce risk can be a good decision and yield greater results with less long term investment. The ISO framework identifies several ways to manage risk:
Figure
12 – Ways to deal with risk These strategies are not mutually exclusive. A good risk mitigation plan can include two or more strategies. Security Control Selection PrinciplesThe total cost of a control includes the following:
Read the article, Critical Security Controls for Effective Cyber Defense, which lists the top twenty security controls as derived from the most common attack patterns. Countermeasure Selection Considerations: ReviewApplying criteria for selection will assist in measuring the true costs of implementing that countermeasure. Take the case of an ATM at a bank. The following questions should be asked:
There are seven possible functions that a security countermeasure can fulfill.
Various countermeasures can perform one or more of these functions. Calculating Risk ExposureRisk exposure is a calculation done as part of a risk assessment. Read How to Calculate Risk Exposure Value. Using a Qualitative Risk Analysis, risk exposure is the Probability of the risk occurring multiplied by the total loss on Risk Occurrence. The risk exposure is the potential for financial loss. A quantitative risk analysis is shown in Table 1. Table 1: Calculation of Annualized Loss Expectancy Table 1: Calculation of Annualized Loss Expectancy
EF – Exposure Factor SLE – Single Loss Expectancy ARO – Annualized Rate of Occurrence ALE – Annualized Loss Expectancy Formulas:
Statement of Applicability (SOA)The statement of applicability is a document that identifies the controls chosen for an organization's environment. The SOA is derived from the risk assessment and explains how and why these controls are appropriate. Read The importance of Statement of Applicability for ISO 27001 which discusses why an SOA is needed and why it is useful. SummaryThis lesson examined the principle of risk which takes an event and combines its probability with its potential impact. Risk management is the process that an organization employs to identify, assess and prioritize risk. The lesson discussed qualitative and quantitative risk analyses which are both methods used to analyze and rank risk based on financial or operational impact and likelihood of occurrence. The lesson concluded with a discussion on evaluating security control measures. What is the product of asset value and event frequency?Calculating Risk
SLE = asset value × exposure factor . While the SLE is a valuable starting point it only represents the single loss an organization would suffer. Since many organizations suffer the same loss multiple times a year, you have to take the ARO (annualized rate of occurrence) and include it in the formula.
How is EF calculated in SLE?It is calculated as follows: SLE = AV x EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.
What is the formula for Aro?ARO = Incidents / Year
Annualized Rate of Occurrence is number of incidents per year.
What is AV in risk management?The value of the asset (AV) is assessed first — $100,000, for example. Let's discuss the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is the exposure factor.
|