WEBVTT

00:00.000 --> 00:03.915
>> Hi everybody. You've
identified a risks.

00:03.915 --> 00:06.390
A lot of times this will
go in a document called

00:06.390 --> 00:08.220
a risk register which gives you

00:08.220 --> 00:10.310
a way to keep track
of your risks,

00:10.310 --> 00:12.765
and once you've identified
and documented the risks,

00:12.765 --> 00:16.290
the next step is to figure
out a value for the risk.

00:16.290 --> 00:18.270
When we talk about a value,

00:18.270 --> 00:20.730
what we mean is a
potential for loss.

00:20.730 --> 00:23.250
Does the risk have a high
potential to cost us a lot of

00:23.250 --> 00:25.080
money or could it cause

00:25.080 --> 00:27.465
a lot of damage to data
that is compromised?

00:27.465 --> 00:29.550
The next thing we're
going to do is figure

00:29.550 --> 00:31.815
out how to prioritize the risks.

00:31.815 --> 00:33.765
We have two types
of assessments.

00:33.765 --> 00:37.145
The first is a qualitative
assessment. It's easy to do.

00:37.145 --> 00:39.920
It's based on gut
instinct and subjective.

00:39.920 --> 00:42.665
It doesn't involve research
or gathering data,

00:42.665 --> 00:44.270
but it relies on having

00:44.270 --> 00:46.265
expertise to make
this assessment.

00:46.265 --> 00:48.440
It can be an inexpensive
and quick way to

00:48.440 --> 00:51.229
begin the
prioritization process.

00:51.229 --> 00:53.690
We use terms like high, medium,

00:53.690 --> 00:54.740
or low to describe

00:54.740 --> 00:57.020
the probability and
impact of the risk.

00:57.020 --> 00:59.660
Probability is how likely
the risk event is to

00:59.660 --> 01:03.335
happen and impact is the
severity of the damage or loss.

01:03.335 --> 01:04.820
On the slide, you can see

01:04.820 --> 01:07.085
a probability and impact matrix.

01:07.085 --> 01:10.100
It's like a heatmap showing
that the events in green are

01:10.100 --> 01:11.480
low enough probability and

01:11.480 --> 01:13.265
impact that we can
live with them.

01:13.265 --> 01:14.750
The yellow ones are
ones that we're

01:14.750 --> 01:16.865
concerned about and
for the red ones,

01:16.865 --> 01:19.280
we need a very active
mitigation strategy

01:19.280 --> 01:22.265
and we should get it
implemented very quickly.

01:22.265 --> 01:25.040
Based on this type of
qualitative assessment,

01:25.040 --> 01:28.175
you know which types of risks
you need to address first.

01:28.175 --> 01:29.750
But if you really want to make

01:29.750 --> 01:31.760
a business decision
about how much money to

01:31.760 --> 01:33.560
spend to mitigate a risk you

01:33.560 --> 01:35.705
wouldn't rely on a
qualitative assessment.

01:35.705 --> 01:37.790
You'd use that to figure
out what to focus on

01:37.790 --> 01:41.180
first but to determine a
dollar amount to spend,

01:41.180 --> 01:43.070
reduce quantity of analysis.

01:43.070 --> 01:44.420
In other words, need

01:44.420 --> 01:46.880
a dollar value for the
potential for loss.

01:46.880 --> 01:49.280
That being said, you
can't always get

01:49.280 --> 01:51.715
a dollar value for a
potential for a loss.

01:51.715 --> 01:53.190
Sometimes, potential for

01:53.190 --> 01:55.400
a loss is hard to
measure in dollars.

01:55.400 --> 01:57.875
Things like loss of
company reputation,

01:57.875 --> 01:59.045
customer confidence,

01:59.045 --> 02:02.375
or employee satisfaction
are all hard to quantify.

02:02.375 --> 02:04.370
But for those risk
events that you can

02:04.370 --> 02:06.710
quantify you should do so.

02:06.710 --> 02:09.485
It allows you to think
about the cost of the loss,

02:09.485 --> 02:12.080
figure out the cost of a
countermeasure and make

02:12.080 --> 02:15.440
a good decision based on
cost-benefit analysis.

02:15.440 --> 02:17.780
For quantitative
analysis, you gain

02:17.780 --> 02:20.285
more expertise and you
have to do a little math.

02:20.285 --> 02:21.590
Now on the exam for

02:21.590 --> 02:23.390
anytime that you have
to do some math,

02:23.390 --> 02:25.790
you will have a calculator
but you need to

02:25.790 --> 02:29.280
remember the formulas and the
terms I'm about to go over.

02:30.070 --> 02:33.800
We always start with
Asset Value, AV.

02:33.800 --> 02:36.320
What am I protecting
and what is it worth?

02:36.320 --> 02:39.710
Then we look at the
Exposure Factor, EF.

02:39.710 --> 02:42.710
The exposure factor means
the impact of the loss.

02:42.710 --> 02:45.410
As an example, in the event
of malware getting on

02:45.410 --> 02:48.125
our server will lose 20
percent of our data.

02:48.125 --> 02:51.065
That 20 percent is
the exposure factor.

02:51.065 --> 02:53.780
What we're ultimately
looking to come up with is

02:53.780 --> 02:56.705
a Single Loss Expectancy, SLE.

02:56.705 --> 02:58.820
This means how much
money do you lose

02:58.820 --> 03:01.460
every time this
event materializes.

03:01.460 --> 03:04.340
Then the frequency that
the event occurs is

03:04.340 --> 03:06.905
Annual Rate of Occurrence, ARO.

03:06.905 --> 03:08.615
That is tied to probability.

03:08.615 --> 03:12.050
How often per year it is
likely to materialize?

03:12.050 --> 03:13.940
When you take the
single loss and

03:13.940 --> 03:15.560
multiply it by the frequency per

03:15.560 --> 03:19.435
year you get the Annual
Loss Expectancy, ALE.

03:19.435 --> 03:22.160
In other words, how much
money you will lose per

03:22.160 --> 03:25.520
year based on how often
this event materializes.

03:25.520 --> 03:27.305
Total Cost of Ownership,

03:27.305 --> 03:30.710
TCO is the cost of
implementing a safeguard to

03:30.710 --> 03:32.300
include any upfront costs as

03:32.300 --> 03:34.490
well as ongoing
maintenance costs.

03:34.490 --> 03:36.685
Then we have the
Return On Investment,

03:36.685 --> 03:40.040
ROI which is the amount of
money you save by implementing

03:40.040 --> 03:41.970
the control and is
also referred to

03:41.970 --> 03:44.810
as the value of the
safeguard or control.

03:44.810 --> 03:47.600
Now, it's important to
note that the benefit of

03:47.600 --> 03:50.300
a safeguard may not always
be measured in dollars.

03:50.300 --> 03:52.130
Sometimes we implement a control

03:52.130 --> 03:53.690
in order to be in
compliance with

03:53.690 --> 03:56.270
regulation and we won't
have a dollar amount for

03:56.270 --> 04:00.240
that but the benefit is
that we are in compliance.

04:01.810 --> 04:04.325
These are the formulas.

04:04.325 --> 04:06.690
Single Loss Expectancy equals

04:06.690 --> 04:09.595
Asset Value times
Exposure Factor.

04:09.595 --> 04:13.955
As an example, let's say I
have a $300,000 warehouse,

04:13.955 --> 04:17.185
it catches fire and
70 percent is lost.

04:17.185 --> 04:21.570
A $300,000 asset
multiplied by 0.70 and

04:21.570 --> 04:23.520
Exposure Factor equals

04:23.520 --> 04:27.790
a Single Loss
Expectancy of $210,000.

04:28.460 --> 04:31.435
How often does that
happen per year?

04:31.435 --> 04:34.325
Let's see what happens
once every 20 years.

04:34.325 --> 04:38.095
That's 0.05 for the Annual
Rate of Occurrence.

04:38.095 --> 04:42.000
As the next formula is Annual
Loss of Expectancy equals

04:42.000 --> 04:44.250
Single Loss
Expectancy multiplied

04:44.250 --> 04:45.855
by the Annual Rate
of Occurrence.

04:45.855 --> 04:49.050
That means $210,000
multiplied by

04:49.050 --> 04:52.980
0.05 which equals $10,500.

04:52.980 --> 04:55.370
The Annual Loss Expectancy is

04:55.370 --> 04:59.705
$10,500 before you've
implemented any controls.

04:59.705 --> 05:02.960
Now, we're going to want to
compare that to the cost of

05:02.960 --> 05:04.130
the control and figure out

05:04.130 --> 05:06.035
a positive return on investment.

05:06.035 --> 05:07.930
We have to figure
out what the cost of

05:07.930 --> 05:09.640
the control is which is going to

05:09.640 --> 05:13.775
be an initial fee
plus any yearly fees.

05:13.775 --> 05:16.660
Make the example easy and
say that the control is

05:16.660 --> 05:18.610
a fire suppression system and

05:18.610 --> 05:21.995
the cost of the control
is $5,000 per year.

05:21.995 --> 05:24.060
If that control were

05:24.060 --> 05:26.190
100 percent successful
and I went from

05:26.190 --> 05:30.300
losing $10,500 a year to
losing zero per year,

05:30.300 --> 05:34.005
then a 5,000 per year expense
seems a good investment.

05:34.005 --> 05:37.515
But usually, our controls are
not 100 percent effective.

05:37.515 --> 05:39.490
We have to determine
how much we're losing

05:39.490 --> 05:41.650
before we've implemented
the control and

05:41.650 --> 05:44.500
how much we lose after we
implement the control plus

05:44.500 --> 05:46.150
the annual cost
of the control to

05:46.150 --> 05:48.650
determine the Return
On Investment.

05:48.650 --> 05:50.920
Let's say that in our example,

05:50.920 --> 05:53.050
the control reduces
the Exposure Factor

05:53.050 --> 05:55.525
to 30 percent instead
of 70 percent.

05:55.525 --> 05:58.570
That means the new
SLE after control is

05:58.570 --> 06:04.435
$300,000 multiplied by
0.30 which equals $90,000.

06:04.435 --> 06:09.050
How much do I lose per year
after I mitigate the control?

06:09.050 --> 06:15.390
Well, $90,000 multiplied
by 0.5 equals $4,500.

06:15.390 --> 06:19.690
The new ALE after
control is $4,500.

06:19.690 --> 06:22.885
Instead of losing
$10,500 per year,

06:22.885 --> 06:26.185
I'm losing $4,500 per
year and I'm paying

06:26.185 --> 06:27.790
$5,000 per year for

06:27.790 --> 06:31.130
the control for a
total of 9,500 a year.

06:31.130 --> 06:35.350
That means my ROI is $1,000.

06:36.050 --> 06:38.210
The key takeaways for

06:38.210 --> 06:40.820
risk assessments are that
it's all about determining

06:40.820 --> 06:43.070
a value for risk or
your potential for

06:43.070 --> 06:46.475
loss and we can do that
with qualitative analysis.

06:46.475 --> 06:49.100
We're looking at probability
and impact and using

06:49.100 --> 06:52.150
those subjective ideas like
low, medium, and high.

06:52.150 --> 06:54.500
Or we can determine
a dollar value for

06:54.500 --> 06:57.215
that loss through
quantitative analysis.

06:57.215 --> 06:59.405
But remember, not all assets

06:59.405 --> 07:02.580
and not all risks
can be quantified.