adam's notes

Risk Assessment

Risk assessment is a subset of risk management where the company’s systems and procedures are audited for risk factors.

  • process of identifying risks, analyzing them, developing a response strategy for them, and mitigating their future impact.
  • separate assessments can be used for initial evaluation and ongoing monitoring
  • methodologies include:
    • ad hoc
      • conducted as needed, in response to incidents
    • recurring
      • scheduled at regular intervals
    • one-time
      • comprehensive evaluations carried out at a particular point in time
    • continuous
      • constantly evaluate risks
      • supported by tools
  • different kinds are often combined to ensure effective identification and management of risk
  • reassessment of risks should occur whenever key risk indicators (KRIs) suggest the environment is undergoing significant change
  • overall status of risk management is referred to as risk posture
    • shows which risk response options can be identified and prioritized

Risk Identification

Risk identification, within overall risk assessment, is a specific process of listing sources of risk due to threats and vulnerabilities.

  • is the foundation for risk assessment and management practices
  • allow organizations to make informed decisions regarding:
    • resource allocation
    • risk mitigation strategies
    • overall risk management practices
  • risk categories:
    • External risks
      • malware attacks
      • phishing attempts
      • natural disasters
    • Internal risks
      • insider threats
      • equipment failures
      • mistakes form authorized users
      • misconfigurations
      • nontechnical risks like inadequate policies or training
    • Multiparty risks
      • are risks that impact more than one organization
      • power outage
      • compromise of SaaS database
    • Legacy systems
      • end of life devices
    • Software vulnerabilities
    • Intellectual property (IP) theft
    • Software compliance/licensing risks
      • occur when an organization licenses software from a vendor and runs afoul of usage limitations
      • expose org to financial and legal risk
  • identification methods:
    • vulnerability assessments
    • penetration testing
    • security audits
    • threat intelligence
    • and others

Risk Analysis vs. Risk Assessment

Risk analysis is the process for qualifying or quantifying the likelihood and impact of a risk factor.

  • aka risk calculation
  • aims to understand the nature and scope of risks
    • examines their causes, consequences, and concerns
  • to evaluate risk, consider:
    • likelihood of occurrence
      • may be expressed as the percentage of change that a threat will exploit a vulnerability over a specified period of time
    • impact
      • magnitude that a risk on an org if it occurs
      • e.g., expressed as the financial cost incurred as a result

risk assessment is a systematic approach designed to estimate potential risk levels and their significance by interpreting data collected during risk analysis.

  • considers:
    • likelihood of an event occurring
    • severity of its consequences
  • may involve:
    • prioritizing risks based on their potential impact
    • defining risk management strategies

Quantitative Analysis

Qualitative risk analysis is a numerical method that is used to assess the probability and impact of risk and measure the impact.

  • value of an asset does not refer solely to its material value
  • two additional considerations:
    • direct costs associated with the asset being compromised (downtime)
    • consequent costs to intangible assets, such as the company’s reputation
  • value of quantitative analysis
    • is its ability to develop tangible numbers that reflect real money
    • helps to justify the costs of various controls
  • problem is
    • the process of determining and assigning these values is complex and time-consuming
    • accuracy of the values assigned is also difficult to determine without historical data

Process

  1. Determine asset value (AV) of the asset affected by the risk
    • asset valuation techniques
      • original cost
      • depreciated cost
      • replacement cost
  2. Determine likelihood of risk occurrence
    • typically on an annual basis
    • Annual rate of occurrence (ARO) is an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur
    • describes the number of times in a year that an event occurs
  3. Determine the amount of damage that will occur to the asset if the risk materializes
    • know as the exposure factor (EF)
      • expressed as the percentage of the asset expected to be damaged
      • e.g., if asset would be completely destroyed, then EF is 100%
  4. Calculate the single loss expectancy (SLE)
    • the amount that would be lost in a single occurrence of a particular risk factor
      • e.g.,
        • a tornado weather event will damage 40% of a building
        • EF is 40% because only part of the asset is lost
        • If the building is worth $200,000,
          • 200,000 \times 0.4=$80,000$
  5. Calculate the annualized loss expectancy (ALE)
    • The total cost of a risk to an organization on an annual basis

Qualitative Analysis

Qualitative analysis is the process of determining the probability of occurrence and the impact of identified risks by using logical reasoning when numeric data is not readily available.

  • aims to provide a qualitative understanding of:
    • risks
    • their potential impact
    • the likelihood of their occurrence
  • benefit is its simplicity and ease of use
    • allows for a quick initial assessment of risks
  • frames risks by considering their
    • causes
    • consequences
    • potential interdependencies to improve risk communication and decision-making
  • limitations
    • is subjective in nature and heavily relies on expert judgment
    • introduces biases and inconsistencies

Inherent Risk

Inherent risk is the original level of risk before any controls are put in place to mitigate it.

  • is the result of a quantitative or qualitative analysis
  • not possible to eliminate the risk
    • rather the aim is to mitigate risk factors to the point where the organization is exposed only to a level of risk that it can tolerate
  • inherent because its the level of risk inherent in the organization’s business

Heat Map

A risk heat map quickly summarizes risks and impact and allows senior leaders to quickly focus on the most significant risks facing an organization.

  • aka traffic light impact matrix or risk matrix
  • FIPS 199 discusses how to apply security categorizations (SC) to information systems based on the impact that a breach of confidentiality, integrity, or availability would have on the organization as a whole
    • Low
      • minor damage or loss to an asset or loss of performance (though essential functions remain operational)
    • Moderate
      • significant damage or loss to assets or performance
    • High
      • major damage or loss or the inability to perform one or more essential functions

Graph View

Backlinks