CSSLP Tutorial: After we complete our risk assessment, we need to complete a risk analysis.
A risk analysis is where we are figuring out what sort of value is the thing or idea or program coding we are protecting. A qualitative risk analysis is more of a gut feeling and is more subjective. There is a technique we can use to have input from other experts or peers, where they can contribute anonymously, called the Delphi technique. People tend to be more honest when they can contribute without naming themselves especially if it is a person in a supervisor position.
And either the risk ranking has a high, medium, or low which doesn’t tell us how much money would be involved, but does help in prioritizing. When a risk is most likely or most likely to be really severe this is the probability that can lead to the most damage. We can fill in a probability matrix to gauge how much damage can be caused by the specific risk. For example, if something has a low likelihood or probability, and a low level of severity may not necessarily lead to a risk happening or specifically, even if it did, might not cause much damage. This helps then when prioritizing, and can lead to a better understanding when working a quantitative study.
The quantitative analysis requires more experience,
And since it uses calculations, also requires additional knowledge. The numbers will aide in forming a factually based analysis which will then can lead us in the direction of being able to figure out how much money will need to be spent to protect our idea, concept or programming code. If you remember that the very first step of risk management was to identify assets. So, let’s say there’s a cost for the actual hardware of the computer and tower, is $300. Remember the value isn’t just the hardware costs, it is also about the value of the asset in terms of intangibles like coding that was put together that will revolutionise the way of thinking about a certain segment of coding architecture and changes it for the future of future programmers. Let’s say that we have $200 worth in data and a virus attack demonstrates a loss of 50%. So, the 50% exposure factor would lead to a $100 loss every time a compromise occurs.
CSSLP Tutorial: Annual rate of occurrence is the probability that an event is likely to occur within the one year.
This in contrast to exposure factor, where it’s less of frequency and more of what impact will the loss have and ultimately what impact the loss of money will have. Annual loss expectancy is how much the organization spends to keep the system secure and pretty riskfree. Start with an exposure factor that’s 50% of let’s say $1,000 worth of data. Then, we have a single loss expectancy is $500. But, if this loss occurs multiple times during the course of the year, for example four times. Then, the organization will lose $500 on four separate occasions. This will lead to a cost in annual cost expectancy of $2000 per year. To decide if we can sustain the potential loss, we have to consider the cost of the security ( and/ or loss of performance) over functionality of our software we are developing.
CSSLP Tutorial: There’s three definitions that haven’t been discovered in this article, yet.
The first is the asset value. When analyzing Asset Value, you are analyzing the dollar figure that represents what the asset is worth. The return on investment is the amount of money saved by implementation of a control Perhaps, it can be referred to as the value of the safeguard/ control. Last is the total cost of ownership. Total costs of Ownership is the total cost of implementing controls, implementing not only initially but also over the course of its lifespan, as we are paying on a maintenance fee. This is referred to total cost of ownership and ultimately we have to look at the total costs and how much does it save us in the long-run. In other words, for every dollar we spend on the security and/ or safeguards, how much are we spending on the safeguards to reduce the risk.
CSSLP Tutorial: This is an overview into the risk analysis.
More quantitatively, there are calculations, for example of single loss expectancy. The calculation of single loss expectancy is the asset value times exposure factor and there are other for quantitative studies. Overall, this discussion was over terms and definitions as well as solving some problems so can understand when to use the appropriate terminology and when to apply the formulas and calculation.