Quantitative and Qualitative Risk-Assessment Approaches

There are two commonly used risk-assessment approaches that essentially combine elements of risk management and risk analysis with financial impact and financial return on investment calculations. Determining which approach is best depends on the landscape of your IT infrastructure and assets and how your organization makes business decisions. Many organizations lack the adequate asset management, asset valuation, and intrinsic dollar valuation for their IT infrastructure and assets. Without accurate financials and access to financial data, conducting a quantitative risk assessment is difficult, if not impossible. In this case, organizations typically choose to do a qualitative risk assessment by assigning mission criticality values and priorities to those IT assets that are critical to the organization. This is a subjective prioritization that typically requires an organization's executive management team to define for the IT organization. This is why it is important to align an organization's business drivers, goals, and objectives with the overall risk assessment. The only tricky part is defining what the yardstick of measurement is for your organization (that is, what is most important to you, what threats you are most concerned with, and so on).

Quantitative Risk-Assessment Approach

Organizations that have accurate asset management, inventory management, annual software and hardware maintenance contracts, and access to accurate financials and depreciation schedules for IT assets typically conduct a quantitative risk assessment. A quantitative risk assessment is a methodical, step-by-step calculation of asset valuation, exposure to threats, and the financial impact or loss in the event of the threat being realized. Performing a methodical quantitative risk assessmentinvolves assessing the asset value and threats to those critical IT assets. This is accompanied with several calculations that provide insight into the cost magnitude elements of the security requirement.

Because of the direct relationship between the cost of security and the amount or level of security desired, conducting an asset valuation and a risk and threat analysis is a critical step in conducting a quantitative risk assessment. This critical step will assist organizations in making effective business decisions. By assessing the risks and threats and comparing them to quantitative and measurable financial impacts, an organization's management is better equipped to make sound business decisions pertaining to prioritizing investments for security controls and security countermeasures.

The following steps describe conducting a quantitative risk assessment for an IT asset:

1.

Determine the Asset Value (AV) for each IT asset.

 

2.

Identify threats to the asset.

 

3.

Determine the Exposure Factor (EF) for each IT asset in relation to each threat.

 

4.

Calculate the Single Loss Expectancy (SLE).

 

5.

Calculate the Annualized Rate of Occurrence (ARO).

 

6.

Calculate the Annualized Loss Expectancy (ALE).

 

The first step in conducting a quantitative risk assessment is to identify all the IT assets that will act as the IT infrastructure's asset inventory. These assets should then be prioritized in regard to the systems and applications that support the organization's business processes and functions.

The second step is to identify the likelihood of a threat occurring to those IT assets. These threats include both internal and external threats, natural and man-made threats, accidental or intentional threats, and hardware or software vulnerabilities. For each threat, the risk assessor must calculate the estimated impact of the threat on that IT asset and the likelihood of occurrence or probability that the threat will occur.

The third step is to define the exposure factor, which is the subjective, potential percentage of loss to a specific IT asset if a specific threat is realized. The exposure factor (EF) is a subjective value that the risk assessor must define. It is important to identify as many threats or vulnerabilities as possible so that a clear understanding of those risks can be derived when determining the EF value. This is usually in the form of a percentage of the likelihood of it occurring, similar to how weather reports predict the likelihood of rain. For example, a hurricane may be a serious catastrophic threat to an IT asset because it can wipe out an entire data center in an office building, but if that office building is located in New York City, the likelihood of occurrence or exposure factor is negligible. Although there are no scales or predefined percentages or likelihood of occurrence values, the risk assessor must figure out how best to provide the percentage.

The fourth step is to calculate the single loss expectancy (SLE). The SLE value is a dollar value figure that represents the organization's loss from a single loss or loss of this particular IT asset. This is a financially calculated value that provides a measurable and comparable value to other IT assets that the organization may have. This allows for a consistent and logical prioritization of all IT assets within an IT infrastructure, which in turn allows an organization to prioritize its security controls and security countermeasures according to the highest SLE calculated for an IT asset. These should be ranked from highest to lowest, providing a prioritization and SLE value that can be compared with all the other critical IT assets of the organization.

Single Loss Expectancy (SLE)

SLE = Asset Value ($)xExposure Factor (EF)

The single loss expectancy for an IT asset is derived by multiplying the IT asset's value with the exposure factor or probability of occurrence of a specific threat. The SLE value will vary for different threats to the same IT asset, so these must be examined collectively.

Suppose Company ABC has a customer database that is valued at $850,000. This asset value was derived from the IT systems, resources, applications, and hardware, including the profit potential from the customer database for forecasted revenue and profitability.

If the customer database has a potential threat from a critical software bug that the vendor just identified, the potential for a threat being realized is real. Software vendors strive to develop a software patch or software update to address this known critical software bug. Remember, the goal of a software patch is to minimize the software vulnerability window so that users can obtain the software patch, deploy it on production servers systems, and verify that the software vulnerability has been eliminated. Because of this known vulnerability, the risk assessor assigns an exposure factor of 25%. There is a 25% probability that this known vulnerability can be exploited by an attacker.

The calculated SLE would be as follows:

SLE = $850,000 (Asset Value)x0.25 (Exposure Factor)

SLE = $212,500

If this customer database has a threat from malicious code or malicious software, and the server that the customer database resides in does not have antivirus or personal firewall protection, this could result in a significantly higher exposure factor. The risk assessor may provide a 75% probability that a virus, worm, or Trojan might attack the production server and customer database.

The calculated SLE would be the following:

SLE = $850,000 (Asset Value)x0.75 (Exposure Factor)

SLE = $637,500

When the risk assessor defines an exposure factor or percentage probability of occurrence, many factors should be considered. What is most important is defining a consistent and standard method for probability of occurrence. This will allow for consistent and standard SLE calculations so that a ranking and prioritization of IT assets' SLE values can be accomplished.

The fifth step in a quantitative risk-assessment calculation for an IT asset is to assign a value for the annualized rate of occurrence (ARO). The ARO is a value that represents the estimated frequency at which a given threat is expected to occur. For the preceding customer database example, the two threats that were assessed were a critical software vulnerability and exposure to malicious code or malicious software because of the void in antivirus and personal firewall security countermeasures. Either of these threats being realized could cause a critical or major security incident. In the example of a critical virus infecting the customer database and the server that houses it, the ARO may be once every four years, so the ARO may be 0.25. If the threat was a hurricane and the IT data center was located in a hurricane belt, the ARO may very well be a higher value, such as 0.75 or even 0.80, given the frequency of potential hurricane damage.

The sixth step is to assign a value for the annualized loss expectancy (ALE). The ALE is an annual expected financial loss to an organization's IT asset because of a particular threat being realized within that same calendar year. The ALE is typically the value that executive management needs to assess the priority and threat potential if one were to occur. This is where the ROI or cost-benefit analysis comes into play, especially if you have to justify the cost of security controls and security countermeasures based on the calculated values pertaining to a quantitative risk assessment.

Annualized Loss Expectancy (ALE)

ALE = SLE ($)xAnnualized Rate of Occurrence (ARO)

The annualized loss expectancy is derived by multiplying the SLE with the Annualized Rate of Occurrence (ARO).

The ALE is calculated by multiplying the SLE with the defined ARO. For the customer database example with a one-in-four-year threat potential of a critical virus, worm, or Trojan, the ALE would be as follows:

ALE = $637,500x0.25 = $159,375

So what does an SLE value of $159,375 mean? If the ALE for the customer database were $159,375, would the organization invest up to $159,375 in security controls and security countermeasures to ensure that the confidentiality, integrity, and availability goals and objectives of the organization are met? Ideally, yes, the organization would invest this amount of money toward protectingits customer database given the SLE and ALE potential.

This is where the ROI and cost benefit or cost of no investment warrants a decision from the organization's management group. IT security controls and security countermeasures are prioritized by calculating and aligning the ALE values for an organization's IT assets.

 

Qualitative Risk-Assessment Approach

A qualitative risk assessment is scenario based, where one scenario is examined and assessed for each critical or major threat to an IT asset. A qualitative risk assessment examines the asset, the threat, and the exposure or potential for loss that would occur if the threat were realized on the IT asset. A Qualitative Risk Assessment requires the risk assessor to assess and play "What If?" regarding specific threat conditions on IT assets. Qualitatively, the risk assessor must conduct a risk and threat analysis and assess the impact of that threat on the IT asset. This must be done consistently and without bias for all IT assets and their identified threats as part of the scenario-based assessment. For example, a data classification standard will dictate the importance of data and the IT systems, resources, and applications that support that data. This data classification standard will dictate the level of security controls and security countermeasures needed for the different types of datasome confidential and some in the public domain.

The purpose of a qualitative risk assessment is to provide a consistent and subjective assessment of the risk to specific IT assets. This typically involves a group or team of members participating in the assessment. All members of the IT organization should participate in risk assessments for various IT assets within the seven areas of information security responsibility; thus, the IT staff and those responsible for maintaining the confidentiality, integrity, and availability of the IT asset all have ownership. Within each of the seven areas of information security responsibility, for example, assets, threats, and their exposure can be assessed. A qualitative risk assessment is scenario based, with an examination of the IT asset, the threat (there can be more than one), and then the exposure of that threat on the IT asset.

Qualitative Risk Assessment Example

Qualitative risk assessments are based on scenario analyses of threats to specific IT assets and the exposure or criticality of those threats to the IT asset. There can be more than one threat scenario per IT asset that must be considered.

For example, a qualitative risk assessment could consider the customer database example in the following scenarios. This ranking allows the organization to prioritize its investments for security controls and security countermeasures according to the defined exposure or risk factor of the threat occurring.

Asset

Threat

Exposure

Facility Power [(A)]

Loss of Power

Critical

Customer Database [(B)]

SW Vulnerability

High

Customer Database [(C)]

Virus Attack

Medium

Customer Database [(D)]

Loss of Data

Low
 

[(A)] Loss of power as a result of a major weather storm without significant battery backup time or diesel generator for emergency electric power.

[(B)] The software vulnerability is a critical software defect of which the customer database and the server that it resides in is at risk, especially because the vulnerability window is open for a potential attacker to exploit.

[(C)] The customer database and server, although unprotected by antivirus and antispyware, has daily automated backups and offsite storage of the customer database. Although a complete system rebuild would take time, the customer database can be recovered minus any lost data that may have occurred from the previous business day. Because viruses can disguise themselves well, it's possible that the backup has been infected as well, increasing the exposure threat to medium.

[(D)] The customer database, because of daily tape backups and offsite storage of the backup tape, has a low exposure threat given that loss of data would be impacted only by the amount of time from the previous customer database backup to the time that the customer database lost the data.

Related

Категории