top of page
Search

Security & Risk Management Pre-requisites

  • Writer: Abhilasha
    Abhilasha
  • Jul 8, 2024
  • 3 min read

Types of Risk Analysis

  1. Quantitative

  • Identify and value assets:

  • Identify and assess the value of all assets (physical, intellectual, etc.) that could be affected by a security incident.

  • Determine vulnerabilities and impact:

  • Identify vulnerabilities (weaknesses in security) and assess their potential impact on assets if exploited.

  • Estimate likelihood of exploitation:

  • Assess the likelihood that identified vulnerabilities will be exploited by threats (hackers, natural disasters, etc.).

  • Compute Annual Loss Exposure (ALE):

  • Calculate the expected annual loss resulting from potential security incidents, considering the estimated impact and likelihood.

  • Survey applicable controls and their costs:

  • Identify and evaluate potential security controls (such as firewalls, encryption) that could mitigate identified risks, along with their associated costs.

  • Project annual savings from control:

  • Estimate the potential reduction in losses that would result from implementing security controls compared to the baseline (without controls).

  • Assigns real numbers to costs of safeguards and damage:

  • Quantify the costs associated with implementing safeguards (security measures) and potential damage costs if security incidents occur.

  • Probability of event occurring:

  • Assess the probability (likelihood) of security events or incidents occurring based on historical data, threat intelligence, or expert judgment.

  • Can be unreliable/inaccurate: 2. Qualitative Risk Analysis (QRA)

  • Acknowledge that quantitative risk analysis relies on estimates and assumptions, which can lead to inaccuracies or unreliable results if the data or assumptions are flawed.

Qualitative risk analysis assesses an organization’s risk to threats using judgment, intuition, and experience rather than numerical data:

  • Judges an organization’s risk to threats: Evaluates the severity of threats based on subjective assessment rather than quantitative metrics.

  • Based on judgment, intuition, and experience: Relies on expert judgment and knowledge of the organization’s environment.

  • Ranks the seriousness of threats for asset sensitivity: Prioritizes threats based on their perceived impact on critical assets.

  • Subjective, lacks hard numbers to justify return on investment: Does not provide precise numerical data, making it challenging to quantify ROI for security investments.

  • Hard to make meaningful valuations and probabilities: Difficulty in assigning concrete values to risks and probabilities due to the qualitative nature.

  • Relative ordering is faster and more important: Focuses on prioritizing risks relative to each other rather than exact measurement.

  • Many approaches to performing qualitative risk analysis: Various methodologies exist, each tailored to organizational needs and context.

  • Same basic steps as quantitative analysis: Involves identifying assets, threats, vulnerabilities, and controls but emphasizes importance over numerical calculations.


The 10-step qualitative risk analysis (QRA) process involves:

  1. Identify Scope: Define the boundaries of the risk analysis project.

  2. Assemble Team: Include relevant stakeholders and subject matter experts.

  3. Identify Threats: List known threats and brainstorm new ones.

  4. Threat Prioritization: Rank threats based on likelihood of occurrence.

  5. Loss Impact: Assess potential impact of each threat on assets.

  6. Total Impact: Combine threat and impact priorities to assess overall risk.

  7. Identify Controls/Safeguards: Propose initial controls for high-priority risks.

  8. Cost-Benefit and Coverage Analysis: Evaluate effectiveness and costs of controls.

  9. Rank Controls: Prioritize controls based on risk reduction potential.

  10. Communicate Results: Compile findings into a report with an executive summary, and present to stakeholders for decision-making.

This structured approach helps organizations understand and manage risks effectively, ensuring resources are allocated efficiently to mitigate potential threats.


Step 6: table


Step 9:




Key Considerations in Risk Analysis


• Key Elements of Risk Analysis

– Assets, Threats, Vulnerabilities, and Controls

• Most security risk analysis uses qualitative analysis

• Not a scientific process

– Companies will develop their own procedure

– Still a good framework for better understanding of system security


 
 
 

Recent Posts

See All
PE internals

Linked Libraries and Functions Imported Functions: Definition: These are functions used by a program that are actually stored in...

 
 
 
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 

Comments

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page