PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
Download as PPTX, PDF0 likes422 views
The document provides an overview of qualitative and quantitative risk assessments used in business, detailing their methodologies, advantages, and factors influencing their calculations. Qualitative assessments focus on the likelihood and impact of risks without dollar amounts, while quantitative assessments prioritize financial estimations for budgeting safety measures. It also mentions risk-related metrics such as MTTF, MTBF, MTTR, RTO, and RPO to aid in quantitative evaluations.
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
- 2. Page 2 Instructor, PACE-IT Program – Edmonds Community College Areas of Expertise Industry Certifications PC Hardware Network Administration IT Project Management Network Design User Training IT Troubleshooting Qualifications Summary Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.
- 3. Page 3 PACE-IT. – Qualitative vs. quantitative risk assessments. – Other risk calculation factors.
- 4. Page 4 Risk related concepts II.
- 5. Page 5 Many businesses dedicate a fair amount of their resources—both money and time—to performing risk assessments. In most cases, the risk assessments may be broken into one of two categories. They may be either qualitative or quantitative assessments. Qualitative assessments are conducted based on the probability, or likelihood, of the risk occurring and the expected impact on the business. This type of assessment is not really concerned about the actual dollar impact. Quantitative assessments are conducted based on the projected cost in dollars if a risk event occurs. Risk related concepts II.
- 6. Page 6 Risk related concepts II. – Qualitative assessments. » Basic formula: risk = probability/likelihood X loss/impact. » Several tables are built using the variables of the formulas. • A risk table outlines the possible events (e.g., a data breach or hard drive failure). • A probability/likelihood table outlines the possibility of the event occurring (e.g., not likely, likely, or most likely) with a value assigned to the likelihood. • A loss/impact table outlines the impact to the business if the event occurs (e.g., minor, medium, or major) with a value assigned to the loss. » The tables are used collectively to create the qualitative risk assessment. » Often, qualitative assessments are used to determine which assets and risks require a quantitative risk assessment. • Quantitative risk assessments require more time and effort.
- 7. Page 7 Risk related concepts II. – Quantitative assessments. » Involve using the actual cost of a threat event to help determine how much to spend on preventative measures. • It doesn’t make sense to spend more than the actual cost. » Quantitative risk assessments can help when budgeting for a security solution to reduce the risk of occurrence. • Step 1: determine the value of the asset (may be the cost to replace, the cost of downtime, etc.). • Step 2: determine the exposure factor (EF)—the cost of a threat event expressed as a percentage of the value of the asset. • Step 3: determine the single loss expectancy (SLE)—the value multiplied by the EF. • Step 4: determine the average rate of occurrence (ARO)— the number of times the threat event is estimated to occur each year. • Step 5: determine the average loss expectancy (ALE)—the SLE multiplied by the ARO. • Step 6: determine what security solution (that falls below the ALE) will mitigate the risk.
- 8. Page 8 Risk related concepts II.
- 9. Page 9 Risk related concepts II. – MTTF (mean time to fail). » The average time a device is expected to be operational in production before it fails—usually as reported by the manufacturer (non-recoverable occurrence). – MTBF (mean time between failures). » The average time between failures of a system or device. – MTTR (mean time to restore/recover). » The average time required to restore or recover when a failure occurs. – RTO (recovery time objective). » The amount of allowable time before a system or device can be down (e.g., one hour, 24 hours, or 15 minutes). – RPO (recovery point objective). » Represents the portion of the system that is expected to be recovered after a failure (e.g., all of it or from the point of last backup).
- 10. Page 10 Risk related concepts II. Qualitative risk assessments are subjective assessments based on the likelihood of occurrence and the expected impact (risk = likelihood X impact). Quantitative risk assessments require more resources to conduct, but put an expected dollar amount on a risk event (ALE = SLE X ARO). Quantitative assessments can be used to determine how much money can be spent on mitigation. Topic Qualitative vs. quantitative risk assessments. Summary When conducting a quantitative risk assessment, there are some factors that may come into the cost equations. They include: MTTF, MTBF, MTTR, RTO, and RPO. Other risk calculation factors.
- 12. This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53. PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.