Risk Assessment

Risk Assessment

We have generally two types of risk assessment - they're called quantitative and qualitative.

Quantitative is when you're able to put a number towards your risk, while qualitative is very subjective, so quantitative is numeric, and qualitative is subjective. Ideally, we'll use a quantitative approach if we can. But in cybersecurity, we generally don't have the ability to do so because it's not an immature field yet. So we use a qualitative to approach.

Risk Management

We have the four risk management items. Again, Risk avoidance, don't do it. Risk mitigate, put some countermeasures. Risk transfer, transfer the risk to someone else. And then accept the risk, you have to do it anyway - you have to run the system due to regulatory reasons, compliance reasons or whatever reasons and you have to accept the risk of doing it. That’s it! You accept the risk and accepting your risk means there's a formal process in which you are aware of what the risk are. You become aware of what your risks are. That's called certification. And then you accept the risk, that's called accreditation.

Quantitative - Security Cost Risk Assessment

Let's take an example of quantitative risk assessment. Quantitative risk assessment as shown here is one of the most basic ways to analyze risk, if you're able to calculate values for it.

  • Exposure factor (EF): The amount of the asset that you lose if an issue occurs.

  • Single loss expectancy (SLE): How much actual value is lost each time an incidence occurs - Asset Value×EF\text{Asset Value}\times{\text{EF}}

  • Annualized rate of occurrence (ARO): How often something will occur within one year.

  • Annualized loss expectancy(ALE): How much loss will occur within a year - SLE ×ARO\text{SLE }\times{\text{ARO}}

Example: Fire Damange to a building

Let's say the value of your building is $750,000. You have the building that's $750,000.

  • Single loss expectancy (EF): Every time there's a fire, how much money would you lose. Every time there's a fire, it will cost $250,000 to repair the damage. How do you know that? GEICO or State Farm, they know. They know that the average cost of a fire for this building type in this area, for this construction material, for this building date, they have the whole process with actuaries that whose job is to take this data and figure out how much you're supposed to charge you for your insurance. So. Its fire insurance is a very mature science. GEICO knows exactly how much it will cost if there's a fire to your home, not your home specifically, but on average, generally.

  • Let's say the annualized rate of occurrence (ARO) is. 5%. That is, there's a 5% chance of a fire every year, so you'll have a fire once every 20 years. How do they know that? GEICO knows that. They'll know what is your risk of having a fire based on all of these factors that they collect from you. So, GEICO knows the chance of a fire.

  • If each time you have a fire, you lose $250,000. And there's a chance of a fire - once every 20 years or 5% chance. That is annualized loss expectancy (ALE), that is each year, whether it is a fire or not, you will lose $250,000 * 5% = 12,500. So whether you have a fire or not this year, it is costing you $12,500 each year. That is your risk. You should be saving that money every year.

Now, GEICO, if they calculated this in this example, they'll charge you 12,500 per year plus profit, because they know that is how much it will cost them to repair this damage in this example.

Let's say. There's a fire alarm system. It costs $5000 to install and $5000 per year to maintain it. So a fire alarm system costs $5000 per year. Is it worth it to have a fire alarm system that costs $5000 a year? This will mean that there are no fires for $5000 a year. Is it worth it? Definitely worth it. (Fire Alarm Cost < ALE)

Qualitative Approach

On the qualitative approach, it uses scales instead of precise numbers. So one very common method for quantitative approach is a risk matrix. In the risk matrix, on the left part has likelihood, that is how likelihood something is to occur and on the bottom side is consequence, which is what's the severity, what's the impact, how bad is it if something occurs. The higher numbers being worse.

  • CVSS scoring only works in certain areas. CVSS scoring is a method used to score the severity of a vulnerability. It is used to score how severe a vulnerability is and it takes into account a number of factors together and uses a formula putting these numbers together to get a score between 1 and 10. With 10 being, the critical 7 to 9 being severe, lower to be medium and low. But that's just the severity. How about the likelihood?

  • The NIST recommend that way is called Delphi method. The Delphi method is a method where you interview three different people who are experts in this area to get a scoring from them individually. So for example the software is really buggy and will likely have buffer overflow vulnerabilities. They'll find 3 experts in their company, and independently interview them in order to find what they rate the score as independent from each other. They do this independently because the people who are an expert in this area are probably in the same team, so they maybe they get the team lead the supervisor and like a developer and they interview them directly. And they don't want their scoring to influence each other. So that's why Delphi method is interview each of these people independently and not tell them what each others are scoring in order to get a scoring for a vulnerability.

Last updated