CompTIA CASP+ CAS-004 – Chapter 01 – Understanding Risk Management Part 5
- Risk Impact
Risk impact or the magnitude of the impact is just an estimate of how much damage a negative risk can have or the potential opportunity cost if a positive risk is realized. So we’re measuring these in financial terms if it’s quantitative or with a subjective measurement if, if it’s qualitative. Risk are then usually ranked on a scale that’s determined by the organization. So high level risk would result in significant loss, low level risk would result in negligible loss. Now, if the magnitude of the impact can be expressed in financial terms, then we use a financial value to quantify that magnitude. And that certainly has an advantage because it’s easily understood by personnel.
Financial impact could be long term cost and operations and support. It could be loss of market share or it could be short term cost, additional work or opportunity cost. There’s two calculations that are used to determine the magnitude of impact or risk impact. These are SLE, single loss expectancy and then annualized loss expectancy. And this is really key. SLE is the monetary impact of each threat occurrence. In order to get this, you have to know the value of the asset, the AV and the exposure factor. So the EF is a percentage value or the functionality of the asset that would be lost when a threat event occurs.
So you get the SLE by multiplying the asset value and the exposure value. So let’s give you for instance here. Let’s say an organization has a web server farm with an asset value of $20,000. If the risk assessment is determined that a power failure is a threat agent for the web server farm and the exposure factor is 25%, then the SLE of this event would equal $5,000, right? $20,000 multiplied by 25%, then you have the annualized loss expectancy which is the expected risk factor of an annual threat event.
Now, in order to determine Ale, you have to actually know the SLE and you also have to know the annualized rate of occurrence or Aro which is involved with the likelihood of the of the threat. OK? So if we use the example that we already mentioned, if the Aro for that power failure is 50%, then the Ale for the event would equal 2500. So Al equals SLE times the annualized rate of occurrence and it’s using that value that an organization can then decide whether to implement controls. So if the annual cost of a control to protect the web server farm is more than the annualized loss expectancy, the organization could easily choose to just accept the risk. We’re not going to implement any sort of control. But if the annual cost of the control is less than the Ale, then the organization should actually look to implement that control.
- Likelihood of Threat
We also need to consider the likelihood of the threat. This is just a measurement of the chance that a particular risk event would impact the organization. So after we’ve identified vulnerabilities and threats, the loss potential for each needs to be performed. And that loss potential is determined by using the likelihood of the event combined with the impact that such an event would cause. And then it assigns those with importance and priority. This is determined by examining a number of different factors. It’s based on the motivation, the source, the annual rate occurrence, how often the threat might occur manually, as well as trend analysis.
- Return on Investment
The term ROI is another that’s probably familiar to us. It’s just return on investment, which just means the money gained or lost after an organization makes an investment. ROI is a necessary metric for evaluating any sort of investment, including security investments. It measures the expected improvement over the status quo against the cost of the action that’s required, or to achieve that improvement. Again, it’s a very familiar business type of term, security, though reduction in risk is really the goal, but it’s often hard to determine exactly how much an organization is going to save if it makes an investment. So what are some of the types of losses? Well, productivity loss, downtime, repair time. So if people aren’t performing their regular duties because of a security issue, then your organization has experienced a productivity loss, revenue loss during an outage. So if an asset, like a web server, an
e commerce server, is down and can’t be accessed, then the organization loses money with every minute and hour that that asset is down. Data loss. If data is lost and it needs to be restored, that goes back to productivity loss, because we have people that are tied up restoring the data backup. But what happens if the backup were destroyed? Then you could have some catastrophic events. Data compromise the disclosure or modification of data by unauthorized personnel, repair cost to replace hardware, or cost to employ services from outside vendors. In the case of a security incident and then loss of reputation, any security incident that occurs can result in in this. You lose your reputation with your partners and your customers. We all know of places that have had security breaches and how that makes that organization look.
- Understanding Payback
Payback is another term that you need to be familiar with. It’s a simple calculation that compares the Ale against the expected savings as a result of a particular investment. Okay, so let’s use that earlier example. We had that server, it resulted in a $2500 Ale. Well, the organization may want to deploy a power backup, but only if it can be purchased for less than two $500 to protect, protect the threat. That’s the only time it should be considered. If it cost a bit more, should we do it? Well, you might be willing to still invest it if it’s just a little bit more. If it were projected to provide protection for maybe more than one year and it had some sort of guarantee net present value. NPV is just going to add another dimension to payback because it considers the fact that money spent today is worth more than savings realized tomorrow. All right, so continuing with our example, the organization can purchase a power backup that comes with a five year warranty.
Well, to calculate NPV, you need to know the discount rate that determines how much less money is worth in the future. Okay. For our example, we’ll say it’s a discount rate of 10%. So you divide the yearly savings 2500 by 1. 1. That would be one plus the discount rate to the power of the number of years you want to analyze. This is a nice formula. So you have 2500 divided by 1. 1 is equal to and I have the calculation for us, it’s, it’s 22 72, 73. So the result is that the savings expected in today’s dollar value. Okay, or, or I’m sorry, that is the result. This is the savings expected today’s dollar value. And so that can kind of help us to try to weigh cost and benefits. The costs are immediate, but the benefits are going to long be long term. It’s technically that NPV that gives us a more accurate measure of whether a project is really worthwhile.
- Total Cost of Ownership
No organizational risk are everywhere. They range from easily insurable property risk to risk that are hard to anticipate, hard to calculate, like the loss of employees, total cost of ownership or TCO of risk just measures the overall cost associated with running the organizational risk management process. That’s going to include a number of different things like insurance premiums, finance cost, it’s administrative cost as well as any losses incurred. Now that value is then compared to the overall company revenues and their asset base. TCO can provide us a way to assess how an organization’s risk related costs are changing compared to the overall organization growth rate.
It can also be compared to industry baselines from other similar organizations and trade groups and that can really help us to determine how well we’re doing. Calculating this has a lot of different advantages. It can help us discover inconsistencies in the risk management approach. It can help identify areas where a particular risk is excessive compared to similar risks managed elsewhere. And it can also generate direct cost savings by highlighting inefficiencies in the the risk management process. But it is it’s going to be difficult to find in some cases, especially comparatively speaking.
- TCO Guidelines
Some of the guidelines that an organization should keep in mind when trying to determine risk TCO are mentioned here. First, determine a framework that’s going to be used to break down cost into categories. This is going to include things like risk financing, risk administration, compliance cost, and self insured losses. We would want to identify the category cost by expressing them as percentage of the overall organizational revenue. We would then want to employ any data from trade bodies, other organizations for comparison with each category. We want to analyze any differences between our numbers at that point and the industry figures for reasons of occurrence, and then set future targets for each category. There are some basic rules when we’re calculating and analyzing risk TCO. First, industry benchmarks are not always truly comparable to your organization’s data, so we have to keep that in mind. We need to try to employ risk management software that’s definitely going to assist us in the decision making, because risk management is just very complex in nature, and we need to remember the value of risk management when we’re budgeting. It’s not merely a cost. So if we could follow those rules and guidelines, then we’ll be well on our way.
- Translate to Business Terms
When we start talking about technical security risk, they represent a threat that’s largely going to be misunderstood by people who are not technical. So it’s the job of us as security professionals to sort of bridge the knowledge gap in a manner that stakeholders understand. We have to deal with nontechnical people. We have to communicate technical risk. One of the first things we need to do is just understand our audience and be able to translate those risk into business terms that the audience is going to understand. Now, your audience could include a very diverse level of employees. So we have semitechnical nontechnical leadership, the board of directors, executives, regulators, all of those kinds of things.
Semi technical audience is going to understand security operations difficulties and they often are powerful allies. That audience typically needs to be data driven. So we give them a very high level message. It’s based on verifiable facts and trends. Nontechnical leadership audience needs the message to be put in context with their responsibility. They need the cost of the expenditures, but they need the cost tied to business performance. And so we need to present metrics that are going to show how cyber risk is trending. But we don’t want to try to avoid using popular jargon, right? We need to translate technical risk into those terms and we need to be thorough and transparent.
- Risk Management Strategies
Risk reduction is going to be the process of altering elements of the organization in response to risk analysis. After the organization understands the ROI, the TCO, it has to determine exactly how to handle the risk. That’s going to be based on the risk appetite. How much risk is the organization able to withstand on its own? There are four basic strategies that we need to understand for this exam. They are avoid, avoid, transfer, mitigate, and accept. To avoid means we’re going to terminate any activity that causes a risk. We’re going to choose an alternative that’s not as risky. Unfortunately, you can’t use this method against all threats. One example of avoidance would be an organization utilizing an alternate data center in a different geographic location to prevent a natural disaster. That may be more danger, that may be more present in certain places. Many times, though, it’s impossible to actually avoid risk. So we might transfer. The transfer strategy just involves passing that risk onto a third party, like an insurance company.
Another example would be to outsource certain functions to a provider, and that’s going to involve an SLA. With that third party, the risk could still rest on the original organization. That kind of depends on contract provisions and whatnot. So you need to be careful to make sure the contract provides the level of protection that you need. We could mitigate the risk. That involves defining the acceptable risk level that the organization can tolerate and then reducing the risk to that level. That’s the most common risk strategy that is employed. So we implement security controls based on the impact of that system. Or accept. Accept just says, okay, we understand. We accept the level of risk as well as the cost of damages that can occur. We’re just not going to do anything about it. Okay. And so in many cases, these are based on some of the values that we talked about, and it’s just seen that it’s not going to be efficient to try to mitigate that risk. So instead of doing that, we’ll just accept that particular risk.
- Risk Management Processes
According to the NIST, common information gathering techniques that are used in risk analysis are going to include risk assessment tools, questionnaires interviews, as well as policy document reviews. Now, we need to keep in mind that there are multiple sources that should be used to determine the risk of a particular asset. But NIST does identify these steps in the risk assessment process, prepare for the assessment, conduct the assessment within conducting. It means we’re identifying threat sources, vulnerabilities, determining the likelihood of occurrence, determining the magnitude of the impact, et cetera. Then communicate the results and then maintain the assessment. And this is going to include a number of different areas like asset valuation, vulnerabilities, and threat identification, exemptions, deterrence, inherent risk and residual risk. And these are all elements that we need to understand. And so we’ll go through them now.
- Information and Asset Value and Costs
The first was information and asset value and cost. Assets are both tangible and intangible. Tangible assets are your computers, your supplies, your personnel. Intangible would be intellectual property data, the reputation of the organization. And so we need to consider the value of the asset in respect to the owner’s view. What’s its value to the owner, what’s the work required to develop or obtain it, what are the cost to maintain it, what is the damage that would result if that asset were lost, what cost would competitors pay for that asset, or and would there be any penalties that would result if the asset was lost? It’s after determining the value of the asset that you should be able to determine the vulnerabilities and the threat of each asset.