Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 22 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Risk Analysis: How To

by The Gurus
June 10, 2015
in This Week's Gurus
Share on FacebookShare on Twitter

Risk Analysis: How To

By: Dawid Czagan
The goal of risk management is to deliver optimal security at a reasonable cost. This article introduces quantitative risk analysis. It also describes cost/benefit analysis, risk handling, and types of countermeasures.

CIA Triad

Risk is related with vulnerabilities, which threaten confidentiality (C), integrity (I), and availability (A) of the assets. This is described as the CIA Triad.

  1. Confidentiality is about not disclosing sensitive information to other people.
  2. Integrity is about preserving the state of the system—we don’t want attackers to change our data.
  3. We do want our systems to be up and running. Hence availability is considered.

Quantitative Analysis

Quantitative analysis is about assigning monetary values to risk components. Let’s analyze the example of hard drive failure to better understand how it works.
Let’s first describe the threat, vulnerability, and risk.

  1. Threat—hard drive failure
  2. Vulnerability—backups done rarely
  3. Risk—loss of data

The asset is data. The value of the asset (AV) is assessed first—$100,000, for example.
Let’s discuss the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.
Let’s continue this case. Annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000 x 0.5), when ARO is estimated to be 0.5 (once in two years). As we can see, the risk is about the impact of the vulnerability on the business and the probability of the vulnerability to be exploited.

Cost/Benefit Analysis

Let’s continue the example from the previous section. Annualized loss expectancy (ALE) is $15,000. This means that the potential loss is $15,000 in one year, when the data is lost as a result of the hard drive failure. A countermeasure can be used to reduce the potential loss. It happens when the management decides to reduce the risk. This countermeasure should not cost more than $15,000 per year. Otherwise it wouldn’t be logical from a business point of view (we don’t want to spend more money than we can potentially lose). This is basically how cost/benefit analysis works.
Let’s see how the annual value of the countermeasure to the company (COUNTERMEASURE_VALUE) can be calculated:
COUNTERMEASURE_VALUE = ALE_PREVIOUS – ALE_NOW – COUNTERMEASURE_COST, where
ALE_PREVIOUS: ALE before implementing the countermeasure
ALE_NOW: ALE after implementing the countermeasure
COUTERMEASURE_COST: annualized cost of countermeasure (please note that it’s not only purchasing cost—maintenance cost is included).

Risk Handling

Risk can be handled in the following ways:

  1. Risk reduction—risk is reduced to an acceptable level (countermeasures implemented; types of countermeasures are described in the next section).
  2. Risk avoidance—stopping the activity, which leads to the risk
  3. Risk transference—the risk is transferred to the insurance company
  4. Risk acceptance—accepting the cost of potential loss (no countermeasures)

Countermeasures

Let’s discuss the types of countermeasures (also called controls) that are implemented in the case of risk reduction. There are three types of countermeasures:

  1. Administrative (e.g., security awareness training should not be forgotten, because people are the weakest point in the security chain)
  2. Technical (e.g., firewall)
  3. Physical (e.g., locks)

Countermeasures are implemented to reduce the risk. We talk about total risk when no countermeasure is implemented. Let’s assume now that the countermeasure is implemented. Perfect security doesn’t exist and there is some risk left. This is a residual risk.

Summary

This article introduced quantitative risk analysis. Single loss expectancy (SLE), exposure factor (EF), annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) were described. It was also shown how cost/benefit analysis works. Finally, risk handling and types of countermeasures were discussed.
 

Dawid Czagan is a Security Researcher for the InfoSec Institute and has received numerous awards for discovering vulnerabilities. 

FacebookTweetLinkedIn
Tags: Cyber Securityinfosecinfosecurityit securityrisksecurity
ShareTweetShare
Previous Post

Banking Malware Vawtrak Spotted Using Tor2Web

 Next Post

Cybercrime Economics of Malicious Macros

Recent News

security

What Is Observability, And Why Is It Crucial To Your Business?

March 21, 2023
Organisational Cybersecurity.jpg

How Emerging Trends in Virtual Reality Impact Cybersecurity

March 21, 2023
Nominations are Open for 2023’s European Cybersecurity Blogger Awards

Nominations are Open for 2023’s European Cybersecurity Blogger Awards

March 20, 2023
TikTok to be banned from UK Government Phones

TikTok to be banned from UK Government Phones

March 17, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information