WEBVTT

00:00.270 --> 00:07.400
If you're going to be calculating your risk it's nice when we have quantitative ways to go about that

00:07.410 --> 00:14.430
so we'd actually determine in real dollars or labor or time how much a particular incident is going

00:14.430 --> 00:16.580
to affect a particular asset.

00:16.620 --> 00:20.560
So to do this the first thing we have to do is pick an asset.

00:20.550 --> 00:23.630
So I'm going to pick one of these little routers here.

00:23.650 --> 00:28.500
Now this router right here has an asset value.

00:28.500 --> 00:33.030
Now you might be tempted at first to simply go oh well the asset value is how much has it cost to buy

00:33.030 --> 00:33.570
a new one.

00:33.720 --> 00:35.610
But it's more complicated than that.

00:35.670 --> 00:41.010
Now if you take a look at this router the actual cost to buy a new one the replacement cost is about

00:41.010 --> 00:44.790
say $2500 but that's not all we need to consider.

00:44.790 --> 00:48.520
For example I need someone to come out and fix the thing so.

00:48.580 --> 00:50.740
And that's going to cost me 500 bucks.

00:50.820 --> 00:57.960
And it's also going to take a full day to get it replaced so we actually have a $500 per day cost just

00:58.290 --> 01:04.100
to get the thing on there on top of the cost so we're really talking about $3000 replacement cost.

01:04.110 --> 01:06.220
The other big issue is revenue.

01:06.300 --> 01:13.160
If this router is making me $2000 a day and it takes me a day to replace it I have to add that on to

01:13.170 --> 01:14.480
the replacement cost.

01:14.490 --> 01:18.820
So now we're talking about an asset value of around $5000.

01:19.110 --> 01:24.810
So an asset value in this particular example we're using this router but it doesn't have to be placed

01:24.810 --> 01:26.750
on that individual piece of equipment.

01:26.910 --> 01:32.370
Let's say you've got a big server room that's got millions of dollars worth of equipment and air conditioners

01:32.370 --> 01:38.970
and re ceilings and cabling and all kinds of stuff you can place an asset value on that thing completely

01:38.970 --> 01:40.190
in one big piece.

01:40.320 --> 01:44.670
And that's actually kind of important as we talk about the next thing to talk about with quantitative

01:44.670 --> 01:51.180
risk calculation your exposure factor the exposure factor is nothing more than the percentage of an

01:51.180 --> 01:54.950
asset that's lost as the result of a particular incident.

01:54.960 --> 02:02.010
So down here in Houston we have a lot of flooding so if we take that router and water fills up my router

02:02.010 --> 02:05.380
Well that's pretty much a 100 percent write off.

02:05.520 --> 02:11.200
So in that particular situation we'd say we have an exposure factor of 1 now.

02:11.280 --> 02:13.570
Exposure factors don't always have to be one.

02:13.680 --> 02:16.470
Let's use my server room as an example.

02:16.470 --> 02:18.070
Now if we had some flooding there.

02:18.150 --> 02:22.410
Oh the flooding might come up a little bit but there's still plenty of equipment that's fine.

02:22.410 --> 02:27.600
So in this case I might have to replace some cables a couple of power supplies that were down on the

02:27.600 --> 02:28.620
floor things like that.

02:28.620 --> 02:30.800
But generally most of the equipment is OK.

02:30.810 --> 02:35.860
So in that case I would make an exposure factor of say point seven five.

02:36.100 --> 02:44.790
Now with an asset value and a exposure factor we can create what's known as a single loss expectancy

02:45.120 --> 02:52.350
the single loss expectancy or so he is equal to the asset value times the exposure factor for any one

02:52.350 --> 02:54.200
particular incident.

02:54.210 --> 03:01.470
Now going through the example then using my router I would say by router which has a $5000 asset value

03:01.770 --> 03:09.370
and exposure factor of one for flooding the SLV for that particular example would be $5000.

03:09.390 --> 03:14.250
So we understand that a s l e is a particular value.

03:14.250 --> 03:17.640
Now the problem is how often is this going to happen.

03:17.640 --> 03:22.070
What is the chances of this taking place in that case.

03:22.080 --> 03:26.370
What we're most interested in is the annualized rate of occurrence.

03:26.370 --> 03:32.280
Look if you're going to be doing security for a living you have to be able to budget stuff.

03:32.310 --> 03:40.260
So we like to budget on an annualized basis and that's where HRO comes into play the A R O is the annualized

03:40.260 --> 03:41.430
rate of occurrence.

03:41.440 --> 03:47.190
Basically any given year what are the chances of this particular incident taking place.

03:47.190 --> 03:53.280
So again going with the flooding in Houston we get one good flood Houston about every 20 years so the

03:53.280 --> 03:59.130
chances of my let's go with the server room the chase of my server room flooding every 20 years is equal

03:59.130 --> 04:02.050
to one over 20 or point zero five.

04:02.050 --> 04:05.980
Now if we've got that point 0 5 we can do something very cool.

04:06.120 --> 04:13.980
We can take our single loss expectancy and we can multiply that times the HRO to get the holy grail

04:14.370 --> 04:16.350
of quantitative risk calculation.

04:16.350 --> 04:23.850
The annualized loss expectancy with the Aley we can say in real dollars based on a percentage chance

04:23.850 --> 04:31.050
of something happening how much that is going to cost the annualized loss expectancy is a really important

04:31.050 --> 04:37.850
value for us because as a security person I can actually put into real dollars on an annualized basis

04:37.860 --> 04:40.390
what is the cost of this particular incident.

04:40.530 --> 04:45.740
And I can use that to help decide how Im going to be dealing with that particular risk mitigation avoidance

04:45.750 --> 04:47.480
whatever you want to do.

04:47.640 --> 04:53.280
Now the other place where things become very interesting is that Ive got a lot of equipment in my infrastructure

04:53.640 --> 04:58.470
and the nice part about a lot of this equipment is that we have great data that goes back years and

04:58.470 --> 05:04.320
years for routers lightbulbs and electrical motors and all kinds of stuff that helps us get an idea

05:04.320 --> 05:06.310
of how long something's going to last.

05:06.420 --> 05:08.520
So let's take a look at those values real quick.

05:08.640 --> 05:13.110
I've got this router here now from historical perspective.

05:13.110 --> 05:18.380
Cisco knows how long this router will work until it doesn't work anymore.

05:18.390 --> 05:21.510
So to make you guys understand this let's draw a little graph.

05:21.510 --> 05:25.230
So the X axis of my graph is time r.k.

05:25.350 --> 05:31.560
And then on my y axis I'm going to either say either it's it's good or here at the bottom I'm going

05:31.560 --> 05:33.240
to say it's failed.

05:33.240 --> 05:38.760
So basically we're going to start a line here that says the router is good over time.

05:38.820 --> 05:41.000
And then at some point it fails.

05:41.040 --> 05:43.130
Boom so it drops all the way down.

05:43.170 --> 05:49.420
Now now we've got a failure so what we first want to calculate is the amount of time that it's down.

05:49.650 --> 05:56.240
So here it's down we're ordering a new router or we're looking for a new part or whatever it is.

05:56.310 --> 05:59.100
And then there's a point where it's actually working again.

05:59.100 --> 06:01.500
So here we are now we're working.

06:01.620 --> 06:09.690
So that time right there is what we call from the failure to the repair is the mean time to repair or

06:09.690 --> 06:11.120
end TTR.

06:11.550 --> 06:16.080
OK so now it's doing just fine and it's working and here goes dead at EDID.

06:16.260 --> 06:18.770
And boom all of a sudden it dies again.

06:18.810 --> 06:26.490
So the time from when it was repaired to the time that it fails again is called the mean time to failure.

06:26.490 --> 06:32.130
So arguably we could go put Mean Time to failure here at the beginning as well so from the moment we

06:32.130 --> 06:34.040
bought it until it failed.

06:34.170 --> 06:37.880
Is also the mean time to failure.

06:38.070 --> 06:43.590
Now if you are going to combine the mean time to repair and the mean time to failure.

06:43.590 --> 06:50.280
So what we're going to get is a line here that calls mean time between failures so the MTBF is the time

06:50.280 --> 06:56.450
from a failure all the time to repair and then the time until it fails again.

06:56.880 --> 07:01.230
The only other thing I want you to be comfortable with when we're talking about these values is that

07:01.230 --> 07:06.570
mean time between failures is usually applied to something that can be repaired.

07:06.570 --> 07:11.500
For example this router right here has an MTBF provided to me from Cisco.

07:11.520 --> 07:16.950
So for example I can go into this thing and fix I replace the power supply and here I can put a new

07:16.950 --> 07:19.550
board in it surprise you know how much I can do.

07:19.620 --> 07:24.170
Meantime to failure however is normally applied to things that you can't fix.

07:24.180 --> 07:29.340
So I mean time to failure would be something we'd apply to a lightbulb for example because I don't know

07:29.340 --> 07:32.800
about you but you have the skills to fix something like that.

07:32.820 --> 07:38.430
Now we've gone through a lot of calculations in this episode and let me warn you friends you will need

07:38.430 --> 07:41.550
to be able to generate these calculations on the exam.

07:41.610 --> 07:44.790
So take some time practice with these and do a little research.

07:44.790 --> 07:49.340
You'd be surprised how much great stuff is out there online for you to play with to get an idea of how

07:49.340 --> 08:07.120
all this works.