Skip to main content

Risk Management - Quantitative risk assessment

The name kind of give away the type of assessment we talk about "Quantitative" according to google translate:

relating to, measuring, or measured by the quantity of something rather than its quality.

Well although it is most likely not always going to be the case were you can place a $ value to a risk, with Quantitative  risk assessment that is the goal, and it can be achieved for assets are tangible (server, safe, storage...) or intangible ( patent, software...)

Step 1

Determine the Asset you wish to protect and from what is the threat is risking the asset.

Step 2

AV - determine the asset value in $ value

EF - assess the Exposure factor or how bad would the asset be impacted in case threat exploit happened and the value is in %

SLE = AV * EF , that is single loss expectancy or in other words the $ value of single incident

ARO - Annual rate of Occurrence basically it is a counter of how many times we expect that incident to happen in 1 year, and it can be a whole number or a fraction for example if we know that a major earthquake in our are can happen 1 every 100 years then the ARO would be 1/100 = 0.01

ALE = SLE * ARO , Annual loss expectancy is taking the single loss $ value times the annual rate and we are getting the $ value of our risk per year.

Now that is not the whole deal as once we have the $ value of our risk we want to see if we can reduce it or alternatively we need to accept it if the reduction cost is for example more expensive.

Step 3

So the next step is to identify the risk mitigation / reduction tools (safe guards) and once we understand them we need to go back and recalculate ALE after implementing our safe guards.

ALE1 ( before implementing safe guards)
ALE2 ( After implementing safe guards) or Residual Risk
SafeGuards - FW, IPS/IDS, Fence, fire system

ALE1 - ALE2 - SafeGuards = Risk Mitigation Value

Risk Value with negative value would be tricky as there is no clear return on investment for placing counter measures. so your other options are:

Accept the risk by executive decision that must be documented.
Sharing the risk for example by buying an insurance policy.
Avoid the risk not always you can but if possible, avoiding an act or usage may eliminate the risk



Note: ignore the risk is never a valid option!
Post a Comment

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …