Performing an Initial Risk Assessment

Risk assessment can be achieved by one of two methods: qualitative or quantitative.

Qualitative

assessment does not attempt to assign dollar values to components of the risk analysis. It ranks the seriousness of threats and sensitivity of assets into grades or classes, such as low,medium, or high.

Quantitative

assessment deals with numbers and dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and to the assets and threats of a risk analysis. The quantitative assessment process involves these three steps:

1.

Estimate potential losses—Single Loss Expectancy = Asset Value x Exposure Factor.

2.

Conduct a threat analysis—The goal here is to estimate the Annual Rate of Occurrence (ARO). This numeric value represents how many times the event is expected to happen in one year.

3.

Determine Annual Loss Expectancy (ALE)—This formula is calculated as follows: ALE =Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO).

The goal of this task is to conduct these three steps of the quantitative risk assessment process.

Scenario

You have been asked to perform a quantitative risk assessment for a small startup web

graphics firm.

Scope of Task

Duration

This task should take about 30 minutes.

Setup

For this task you need access to a pen and paper. In real life, assessments require knowledge

of assets, an analysis of threats and team of people to help in understanding what is truly

important to the organization. These people should be from key departments of the company

to get more rounded view. I think in this case, to make this differ from the Equipment Used

section below, we need to also discuss some of the personal info that you would use. That is,

do you need to interview anybody? Do you need other information—company assets, etc.—

to make an informed risk assessment plan?

Caveat

In real life, risk assessment is a complex process that is usually done with the aid of software

tools that perform all the calculations.

Procedure

In this task, you will learn how to perform a quantitative risk assessment.

Equipment Used

For this task you must have:

_

Paper

Pen 

Details
This task will introduce you to the risk assessment process. This is a critical step in the security
process since an organization must determine what is most critical and apply cost-effective
countermeasures to protect those assets. A quantitative risk assessment attempts to put dollar
amounts on those risks, which makes it a valuable tool when working with management to
justify the purchase of countermeasures.
 

Estimating Potential Loss
Your first step in the risk assessment process is to estimate potential loss. This is performed
by multiplying the asset value times the exposure factor. The asset value is what the asset is
worth. The exposure factor is the cost of the asset lost or damaged in one single attack.

Conducting a Threat Analysis

Stolen equipment
Based on information provided by actuary tables, there is the possibility that your organization will lose equipment, or have its equipment compromised, once in afive-year period.

Hardware failure
By examining past failure rates of equipment, you have determined that it has happened twice in the last eight years.

Computer virus
Historical data shows that the company has been seriously affected onlyonce in the last two years.

DoS attack
Your research has shown that the average company in your field is affected by denial of service (DoS) up to three times every 12 years.

Short-term outage
Trouble tickets from the help desk indicate that three-fourths of all trouble tickets in one year are related to some type of outage.

Determining the Annual Loss Expectancy

you are now ready to complete the final steps of the risk assessment process.