In the previous article, we talked about the risk assessment process. The output of this process is a list of existing vulnerabilities, associated threats, and the resulting risks. Risk Analysis is then performed by studying each vulnerability, threat, and risk in more details to assess the amount of damage, and the possible countermeasures to use in order to reduce the risk to an acceptable level. This will be the subject of this article. Have a nice reading.
What is Risk Analysis?
Risk analysis is the process of studying the risks in detail that the organization’s assets are susceptible to due to the existence of the previously-identified vulnerabilities.
Risk Analysis Approaches
Two risk analysis approaches exist: Quantitative risk analysis and Qualitative risk analysis.
The two approaches will be discussed in the following sections.
Quantitative Risk Analysis
As the name implies, quantitative risk analysis is concerned with figures and numbers. The output of such an operation is a report containing solid figures about:
- The percentage of the probability that a specific threat would cause damage or harm to the organization’s assets.
- The amount in USD, EUR, GBP, JPY, EGP, etc. of the potential loss.
- The financial cost (also in USD, or EUR, etc.) of the security control(s) to implement in order to mitigate the risk.
- The percentage of the expected effectiveness of the selected security control.
Before going into the details of the process, we need to understand some important terms.
Exposure Factor (EF): The percentage of damage that would result from a successful threat on a specific asset.
Single Loss Expectancy (SLE): the financial amount of loss due to a single successful threat on a specific asset. Following this definition, the SLE could be calculated by the following formula: SLE = EF x Asset Value
Annual Rate of Occurrence (ARO): the number of times that a specific threat is expected to occur within one year.
Annualized Loss Expectancy (ALE): the total loss expected per year due to all occurrences of a specific threat targeting a certain asset.
The ALE can be calculated using the following formula: ALE = SLE x ARO
Phases of Quantitative Risk Analysis Process
The quantitative risk analysis process is performed in few steps. The following points list them in brief:
- Prepare an inventory of the existing assets and the value of each one.
- For each asset, use the results of the risk assessment phase to create a table of asset, associated vulnerabilities, possible threats, exposure factor (EF), and the single loss expectancy (SLE).
- Analyze the probability of each threat to get the ARO. Use this value to get the annualized loss expectancy (ALE) per threat per asset.
- Study the possible security controls and their effectiveness. Effectiveness of a control should be reduced EF, SLE, and/or ARO; resulting in a reduced ALE at the end.
- Study and calculate the annual cost of safeguard ACS for each control.
- For each asset and recommended control, perform the cost/benefit analysis CBA. Use the formula: Cost/Benefit Value for a Control = ALEbefore – ALEafter – ACS
The more the cost/benefit value for a specific control, the more effective and feasible the control is.
Negative or zero result means the countermeasure is not feasible to implement.
Qualitative Risk Analysis
The qualitative approach considers scenarios for each threat that may exploit vulnerability in an organization’s asset. The different scenarios are then put under very-detailed discussions about the probability, seriousness of each threat, and possible varieties of security controls. The comprehensive discussions could use brainstorming, meetings, surveys, and questionnaires to collect the necessary data. The result of discussions should assign a weight or rank to the severity of each threat, and to the probability of its occurrence. A rank is also given for the effectiveness of each possible security countermeasure.
Which Method to Use?
When doing the risk analysis exercise, we can’t say that one method is better than the other. Rather, we should use a mix of the two. Such hybrid approach makes a balance between both quantitative and qualitative approaches, taking the advantages of each method.
How to Handle Identified Risks?
After collecting data and performing comprehensive risk analysis, the organization should now decide how to deal with the identified risks? In general, there are four possible actions to choose from:
- Reduce Risk.
- Avoid or Reject Risk.
- Transfer Risk.
- Accept Risk.
If one or more of the proposed countermeasures is found to be effective and feasible to implement in terms of the cost/benefit value, the organization can go ahead and choose to mitigate the risk by implementing countermeasure(s). The effect of that implementation should be reducing the risk to an acceptable level.
The whole risk can be entirely rejected by choosing not to use/implement/follow the system/action/procedure that causes the risk. For example, if the company’s website is being hacked frequently, the company can simply choose to close it completely!
The organization can choose to transfer the risk to an external party, which is the insurance company in this case.
If the analysis reveals that none of the available security countermeasures is cost-effective, the organization can choose to simply accept the risk. Typically, this decision is taken when the cost/benefit value of the countermeasure is negative or almost zero.
Whatever the organization’s decision will be, the top management must be involved in that critical phase.
- Risk analysis can use one of two approaches: quantitative or qualitative.
- Quantitative risk analysis output is solid financial USD figures including Annualized Loss Expectancy ALE before and after implementing security measures, and the cost/benefit values.
- Qualitative Risk analysis assigns ranks to the severity of each threat, the probability of its occurrence, and to the effectiveness of each possible security countermeasure.
- A hybrid approach should be used to balance between quantitative and qualitative methods.
- After performing the analysis, a decision is taken to either mitigate, avoid, transfer, or accept the risk.
In the next article, we will talk about Security policies and procedures. See you.