1
00:00:01,130 --> 00:00:04,240
<v ->In the last lesson, we discussed qualitative risk analysis</v>

2
00:00:04,240 --> 00:00:06,270
and the lack of numbers that it used.

3
00:00:06,270 --> 00:00:08,340
Now, we're going to look at the other side of the equation:

4
00:00:08,340 --> 00:00:10,980
quantitative risk analysis, which heavily relies

5
00:00:10,980 --> 00:00:12,790
on numbers and monetary values

6
00:00:12,790 --> 00:00:15,250
for all parts of the risk analysis.

7
00:00:15,250 --> 00:00:17,210
This includes numerically assigning values

8
00:00:17,210 --> 00:00:19,790
to the value of the assets, the threat frequency,

9
00:00:19,790 --> 00:00:21,200
the severity of the vulnerabilities,

10
00:00:21,200 --> 00:00:24,400
and the impact of the realization of a given threat.

11
00:00:24,400 --> 00:00:26,410
Now, with quantitative risk analysis,

12
00:00:26,410 --> 00:00:28,330
this is going to remove much of the estimation

13
00:00:28,330 --> 00:00:30,440
and guesswork from a risk assessment,

14
00:00:30,440 --> 00:00:31,340
because it's going to turn this

15
00:00:31,340 --> 00:00:33,430
into a large math problem instead.

16
00:00:33,430 --> 00:00:35,200
Equations are used to determine the total

17
00:00:35,200 --> 00:00:37,150
and residual risk, as well as provide you

18
00:00:37,150 --> 00:00:39,830
with a cost directly associated with those risks.

19
00:00:39,830 --> 00:00:41,980
This is going to allow us to have a numerical method

20
00:00:41,980 --> 00:00:45,070
to represent the magnitude of the impact of a risk.

21
00:00:45,070 --> 00:00:47,160
The magnitude of impact is an estimation

22
00:00:47,160 --> 00:00:50,310
of the amount of damage that a negative risk might achieve.

23
00:00:50,310 --> 00:00:52,170
This is also known as a risk impact,

24
00:00:52,170 --> 00:00:53,790
and it can be measured financially using:

25
00:00:53,790 --> 00:00:56,630
quantitative methods or qualitative methods.

26
00:00:56,630 --> 00:00:59,040
Now, when rating risk, it's usually done on a scale

27
00:00:59,040 --> 00:01:01,170
with negligible losses being classified

28
00:01:01,170 --> 00:01:03,510
as a low-level, and significant losses,

29
00:01:03,510 --> 00:01:05,470
being classified as a high level.

30
00:01:05,470 --> 00:01:07,290
Most often, though, managers prefer

31
00:01:07,290 --> 00:01:10,380
to have these risks represented by a quantitative method,

32
00:01:10,380 --> 00:01:12,400
resulting in a financial number.

33
00:01:12,400 --> 00:01:15,200
These fiscal values allow personnel in the organization

34
00:01:15,200 --> 00:01:17,220
to better understand the cost associated

35
00:01:17,220 --> 00:01:19,500
with a given risk and its impact.

36
00:01:19,500 --> 00:01:21,390
The three most common calculations used

37
00:01:21,390 --> 00:01:23,210
in determining the magnitude of an impact

38
00:01:23,210 --> 00:01:25,280
in a quantitative risk analysis is:

39
00:01:25,280 --> 00:01:27,900
the Single Loss Expectancy, or SLE,

40
00:01:27,900 --> 00:01:30,470
the Annualized Rate of Occurrence, or ARO,

41
00:01:30,470 --> 00:01:33,640
and the Annualized Loss Expectancy or ALE.

42
00:01:33,640 --> 00:01:35,820
Let's start with Single Loss Expectancy.

43
00:01:35,820 --> 00:01:37,750
Single Loss Expectancy is the cost,

44
00:01:37,750 --> 00:01:39,370
associated with the realization

45
00:01:39,370 --> 00:01:41,820
of each individualized threat that occurs.

46
00:01:41,820 --> 00:01:44,310
It's calculated by multiplying the asset's value

47
00:01:44,310 --> 00:01:46,240
times an exposure factor.

48
00:01:46,240 --> 00:01:49,110
Now, the exposure factor is simply the amount of the asset

49
00:01:49,110 --> 00:01:51,760
that's going to be lost if the threat is realized.

50
00:01:51,760 --> 00:01:53,410
Let's look at an example of this.

51
00:01:53,410 --> 00:01:55,620
If I have a file server that has an asset value

52
00:01:55,620 --> 00:01:58,280
of $10,000, and a given threat against it

53
00:01:58,280 --> 00:02:00,680
of a power failure that would reduce the functionality

54
00:02:00,680 --> 00:02:02,810
of the file server down to 20%,

55
00:02:02,810 --> 00:02:05,620
this means my exposure factor is 20%.

56
00:02:05,620 --> 00:02:07,710
Then, the single loss expectancy

57
00:02:07,710 --> 00:02:11,630
for a given realization of this power loss would be $2000.

58
00:02:11,630 --> 00:02:14,850
That would be the 20% times 10,000.

59
00:02:14,850 --> 00:02:16,390
Now, the next concept we have is,

60
00:02:16,390 --> 00:02:19,025
an Annualized Rate of Occurrence or ARO.

61
00:02:19,025 --> 00:02:21,370
ARO is calculated simply by determining

62
00:02:21,370 --> 00:02:24,830
how many times per year is a threat going to be realized.

63
00:02:24,830 --> 00:02:27,300
Now, the Annual Loss Expectancy, on the other hand,

64
00:02:27,300 --> 00:02:30,970
is the expected cost of a realized threat over a given year.

65
00:02:30,970 --> 00:02:34,130
This is calculated by multiplying the Single Loss Expectancy

66
00:02:34,130 --> 00:02:36,190
times the Annual Rate of Occurrence,

67
00:02:36,190 --> 00:02:38,530
so going back to our file server example,

68
00:02:38,530 --> 00:02:41,760
we have a single loss expectancy of $2000.

69
00:02:41,760 --> 00:02:43,970
Now, if the power loss occurs three times

70
00:02:43,970 --> 00:02:46,490
in a given year, that would be $2000

71
00:02:46,490 --> 00:02:49,750
times three times a year, which gives us $6000

72
00:02:49,750 --> 00:02:53,120
for our annualized loss expectancy or ALE.

73
00:02:53,120 --> 00:02:54,650
Now, on the other hand, if we expect

74
00:02:54,650 --> 00:02:57,120
to lose power only once every two years,

75
00:02:57,120 --> 00:03:00,280
that means we're going to multiply the $2000 single loss

76
00:03:00,280 --> 00:03:04,130
times 50% or once every two years, one-half.

77
00:03:04,130 --> 00:03:06,470
Now, this gives us an annualized loss expectancy

78
00:03:06,470 --> 00:03:08,440
of only a thousand dollars.

79
00:03:08,440 --> 00:03:09,680
Now, it's great that we learned how

80
00:03:09,680 --> 00:03:12,740
to calculate these three values, but why is this important?

81
00:03:12,740 --> 00:03:15,160
Well, the ALE is really important to us

82
00:03:15,160 --> 00:03:17,570
because we use it in our decision-making.

83
00:03:17,570 --> 00:03:19,820
If we're afraid of losing power to our servers,

84
00:03:19,820 --> 00:03:21,370
well, there's some controls that we can put

85
00:03:21,370 --> 00:03:23,280
in place to prevent this from occurring.

86
00:03:23,280 --> 00:03:24,170
If we decide we wanted

87
00:03:24,170 --> 00:03:26,510
to build a really redundant power supply

88
00:03:26,510 --> 00:03:28,300
that serves the entire server room,

89
00:03:28,300 --> 00:03:30,360
and it's going to make it really, really secure,

90
00:03:30,360 --> 00:03:32,030
we can add up all the construction costs

91
00:03:32,030 --> 00:03:34,720
and the equipment costs and compare that to the ALE

92
00:03:34,720 --> 00:03:36,560
and determine if it's a good investment,

93
00:03:36,560 --> 00:03:39,930
so in our example, let's say that it cost us $200,000

94
00:03:39,930 --> 00:03:42,050
to build out a really great server room

95
00:03:42,050 --> 00:03:44,420
that's going to make sure we never, ever lose power.

96
00:03:44,420 --> 00:03:46,420
We've got battery backups, we've got generators;

97
00:03:46,420 --> 00:03:49,060
all that kind of stuff. Now, how long would it take

98
00:03:49,060 --> 00:03:52,220
for us to make back that initial investment of $200,000

99
00:03:52,220 --> 00:03:55,550
by offsetting the risk that that ALE represents?

100
00:03:55,550 --> 00:03:57,980
Well, if we take our annualized loss expectancy,

101
00:03:57,980 --> 00:03:59,240
and it was $6000

102
00:03:59,240 --> 00:04:01,660
because we lost power three times every year,

103
00:04:01,660 --> 00:04:04,250
it's going to take us over 33 years

104
00:04:04,250 --> 00:04:06,140
for us to make up that capital expenditure

105
00:04:06,140 --> 00:04:09,820
of $200,000, so I'm no mathematician,

106
00:04:09,820 --> 00:04:11,870
but I think we probably shouldn't do it.

107
00:04:11,870 --> 00:04:13,470
Based on that magnitude of impact,

108
00:04:13,470 --> 00:04:15,540
it just doesn't make sense for us to move forward

109
00:04:15,540 --> 00:04:19,300
with building a $200,000 server room to address a threat

110
00:04:19,300 --> 00:04:22,380
that we wouldn't even lose $6000 a year on.

111
00:04:22,380 --> 00:04:25,380
This is why managers love quantitative risk analysis,

112
00:04:25,380 --> 00:04:27,800
because it makes decision-making really easy,

113
00:04:27,800 --> 00:04:29,450
because you can just start comparing numbers

114
00:04:29,450 --> 00:04:30,920
to make up your mind, instead of having

115
00:04:30,920 --> 00:04:33,560
to rely on your expertise and your experience.

116
00:04:33,560 --> 00:04:35,800
It's also easier to justify to upper management

117
00:04:35,800 --> 00:04:38,200
if they make a bad decision based on numbers,

118
00:04:38,200 --> 00:04:39,640
because if the decision turns out wrong,

119
00:04:39,640 --> 00:04:41,090
but the numbers supported it,

120
00:04:41,090 --> 00:04:43,980
that's really a risk mitigation in their own career.

121
00:04:43,980 --> 00:04:45,687
Now, with all that being said, it's important

122
00:04:45,687 --> 00:04:49,370
to realize that in reality, a good IT director isn't going

123
00:04:49,370 --> 00:04:51,830
to rely solely on quantitative analysis,

124
00:04:51,830 --> 00:04:54,270
but instead we use hybrid approaches.

125
00:04:54,270 --> 00:04:56,050
This is often because there's not enough data

126
00:04:56,050 --> 00:04:58,710
to accurately, only use a quantitative method,

127
00:04:58,710 --> 00:05:00,640
so we're going to bring in our experience

128
00:05:00,640 --> 00:05:02,400
and that qualitative means also

129
00:05:02,400 --> 00:05:04,440
and factor that into the analysis.

130
00:05:04,440 --> 00:05:07,090
There's always some level of subjectivity to the data,

131
00:05:07,090 --> 00:05:09,060
making most analysis a combination

132
00:05:09,060 --> 00:05:11,620
of quantitative and qualitative approaches.

133
00:05:11,620 --> 00:05:13,920
This is why IT directors tend to be people

134
00:05:13,920 --> 00:05:16,880
with years of experience in the world of IT and security,

135
00:05:16,880 --> 00:05:19,470
because they need that prior experience to rely on

136
00:05:19,470 --> 00:05:21,690
when they're making decisions, because you can't factor

137
00:05:21,690 --> 00:05:23,860
in just those quantitative assessments,

138
00:05:23,860 --> 00:05:25,890
and you have to bring in that knowledge and experience

139
00:05:25,890 --> 00:05:27,453
to get a more accurate picture.