PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)

Risk related concepts II.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3

Risk related concepts II.PACE-IT.

– Qualitative vs. quantitative risk assessments.

– Other risk calculation factors.

Page 4

Qualitative vs. quantitative risk assessments.Risk related concepts II.

Page 5

Many businesses dedicate a fair amount of their resources—both money and time—to performing risk assessments.

In most cases, the risk assessments may be broken into one of two categories. They may be either qualitative or quantitative assessments.Qualitative assessments are conducted based on the probability, or likelihood, of the risk occurring and the expected impact on the business. This type of assessment is not really concerned about the actual dollar impact.Quantitative assessments are conducted based on the projected cost in dollars if a risk event occurs.


Page 6


– Qualitative assessments.» Basic formula: risk = probability/likelihood X

loss/impact.» Several tables are built using the variables of the

formulas.• A risk table outlines the possible events (e.g., a data

breach or hard drive failure).• A probability/likelihood table outlines the possibility of

the event occurring (e.g., not likely, likely, or most likely) with a value assigned to the likelihood.

• A loss/impact table outlines the impact to the business if the event occurs (e.g., minor, medium, or major) with a value assigned to the loss.

» The tables are used collectively to create the qualitative risk assessment.

» Often, qualitative assessments are used to determine which assets and risks require a quantitative risk assessment.

• Quantitative risk assessments require more time and effort.

Page 7


– Quantitative assessments.» Involve using the actual cost of a threat event to help

determine how much to spend on preventative measures.

• It doesn’t make sense to spend more than the actual cost.

» Quantitative risk assessments can help when budgeting for a security solution to reduce the risk of occurrence.

• Step 1: determine the value of the asset (may be the cost to replace, the cost of downtime, etc.).

• Step 2: determine the exposure factor (EF)—the cost of a threat event expressed as a percentage of the value of the asset.

• Step 3: determine the single loss expectancy (SLE)—the value multiplied by the EF.

• Step 4: determine the average rate of occurrence (ARO)—the number of times the threat event is estimated to occur each year.

• Step 5: determine the average loss expectancy (ALE)—the SLE multiplied by the ARO.

• Step 6: determine what security solution (that falls below the ALE) will mitigate the risk.

Page 8

Other risk calculation factors.Risk related concepts II.

Page 9

Other risk calculation factors.Risk related concepts II.

– MTTF (mean time to fail).» The average time a device is expected to be

operational in production before it fails—usually as reported by the manufacturer (non-recoverable occurrence).

– MTBF (mean time between failures).» The average time between failures of a system or

device.

– MTTR (mean time to restore/recover).

» The average time required to restore or recover when a failure occurs.

– RTO (recovery time objective).» The amount of allowable time before a system or

device can be down (e.g., one hour, 24 hours, or 15 minutes).

– RPO (recovery point objective).» Represents the portion of the system that is expected

to be recovered after a failure (e.g., all of it or from the point of last backup).

Page 10

What was covered.Risk related concepts II.

Qualitative risk assessments are subjective assessments based on the likelihood of occurrence and the expected impact (risk = likelihood X impact). Quantitative risk assessments require more resources to conduct, but put an expected dollar amount on a risk event (ALE = SLE X ARO). Quantitative assessments can be used to determine how much money can be spent on mitigation.

Topic

Qualitative vs. quantitative risk assessments.

Summary

When conducting a quantitative risk assessment, there are some factors that may come into the cost equations. They include: MTTF, MTBF, MTTR, RTO, and RPO.

Other risk calculation factors.

Page 11

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.