COMPTIA Security+ Tutorial: Module 02,Part 02 – RISK CALCULATIONS IN MANAGING AND MITIGATING RISKS

MANAGING AND MITIGATING RISKS

In this section we will discuss the risk calculations in managing and mitigating the risks. We will discuss the terms such as Mean Time to Repair (MTTR), Single Loss Expectancy (SLE) and others.

Mean Time To Repair (MTTR): Periodically might fail on the network due to the mechanical failure. The mean time to repair considers how soon it will take to fix the device to put it back in production. It is the measure of the down time the organization tolerates for the machine to be down. The best practice that should follow in an organization is that it should include the time to fix the device and test the device.

MTTR is determined by the network administrators and will give us the time for how soon the device can go online after the repair.

 

Mean Time Between Failure (MTBF):

The Mean Time Between Failure is the measure of failure that how long does a device work before it fails. It is a measure of the devices that can fail and can be repaired. It can only be given by the manufacturers of the devices. We generally refer to the Mean Time between Failure before we make the final purchase of any device for which we cannot look for the cheapest option.

Mean Time To Failure (MTTF)

The mean time to failure is the time you wish to know for how long can you use the device before it fails. It is for the devices that we do not want to return and it is the end of the device. It can only be given by the manufacturers of the devices. We usually use this to come down to a purchase decision.

Annualized Loss Expectancy (ALE)

The Annualized Loss Expectancy is used to calculate the amount of loss incurred in a year. In this case, one can take the Annualized Rate of Occurrence and multiply it by the Single Loss Expectancy. As soon as one knows the Annualized loss expectancy, they would easily start to plan the budget and expenses.

This is a measure of how much in terms of cost will be the loss if an incidence were to happen or what do you expect to lose annually each year.

Single Loss Expectancy (SLE)

The Single Loss Expectancy (SLE) will help one to determine the amount of monetary loss one will incur in case of a single incident takes place. For instance, if a laptop is stolen, the cost of loss can be estimated accordingly.

Within any network the threats can exploit the vulnerability. So if we track a vulnerability, what will be the cost of loss is the Single Loss Expectancy that denotes what do we lose.

 

Annualized Rate of Occurrence (ARO)

The Annualized Rate of Occurrence is a risk calculation method that determines the number of times an incidence occurs. It is the rate of occurrence of an event/threat annually that can compromise the vulnerability which denotes ARO.

When we analyze the risks, we have the Quantitative and Qualitative Analysis.

The Quantitative method seeks to establish the amount of money (how much) that will be lost, but the Qualitative analysis will give the value of the information that will be lost(based on experience and is subjective).

We need to consider the following factors when we look at the network.

Zero Vulnerabilities

Vulnerabilities are defined as the absence or the weakness of the control. It also refers to the extent to which we are prone to risk.

Threat Vectors

Threat Vectors outline the extent of damage or loss that can be incurred in the risk.

Risk Probability/Threat Likelihood

Risk Probability is the calculation of the risk that is based on the frequency of occurrence.