Saturday, November 04, 2017

Risk Management - Quantitative risk assessment

The name kind of give away the type of assessment we talk about "Quantitative" according to google translate:

relating to, measuring, or measured by the quantity of something rather than its quality.

Well although it is most likely not always going to be the case were you can place a $ value to a risk, with Quantitative  risk assessment that is the goal, and it can be achieved for assets are tangible (server, safe, storage...) or intangible ( patent, software...)

Step 1

Determine the Asset you wish to protect and from what is the threat is risking the asset.

Step 2

AV - determine the asset value in $ value

EF - assess the Exposure factor or how bad would the asset be impacted in case threat exploit happened and the value is in %

SLE = AV * EF , that is single loss expectancy or in other words the $ value of single incident

ARO - Annual rate of Occurrence basically it is a counter of how many times we expect that incident to happen in 1 year, and it can be a whole number or a fraction for example if we know that a major earthquake in our are can happen 1 every 100 years then the ARO would be 1/100 = 0.01

ALE = SLE * ARO , Annual loss expectancy is taking the single loss $ value times the annual rate and we are getting the $ value of our risk per year.

Now that is not the whole deal as once we have the $ value of our risk we want to see if we can reduce it or alternatively we need to accept it if the reduction cost is for example more expensive.

Step 3

So the next step is to identify the risk mitigation / reduction tools (safe guards) and once we understand them we need to go back and recalculate ALE after implementing our safe guards.

ALE1 ( before implementing safe guards)
ALE2 ( After implementing safe guards) or Residual Risk
SafeGuards - FW, IPS/IDS, Fence, fire system

ALE1 - ALE2 - SafeGuards = Risk Mitigation Value

Risk Value with negative value would be tricky as there is no clear return on investment for placing counter measures. so your other options are:

Accept the risk by executive decision that must be documented.
Sharing the risk for example by buying an insurance policy.
Avoid the risk not always you can but if possible, avoiding an act or usage may eliminate the risk

Note: ignore the risk is never a valid option!