Risk is calculated for threat/vulnerability pairs. It appears simplistic and straightforward. However, calculating values can be challenging. There are important factors that inform the definition that is omitted in this simplistic definition, as we will see.
Likelihood
Likelihood can be an additional input into the Risk equation outside of threat and vulnerability. Likelihood assessments attempt to determine how likely successful exploitation of the vulnerability will be. Several factors inform the likelihood of successful exploitation.
These factors include:
- Threat motivation
- Threat capabilities
- Ease of exploitation
- Existing controls and countermeasures
Impact
In addition to the likelihood, the Impact attempts to determine the outcome of successful exploitation. Impact determination will necessarily consider the information system in question and the data housed or processed by the information system.
- System-focused impact considers a system\’s role in the organization
- Data-focused impact questions the data housed on or accessible via the system
Risk Analysis Approaches
After defining the basic concepts, now it’s time to pay attention to the process of risk analysis. Risk professionals don\’t simply calculate risk. They analyze risk to understand it and decide which countermeasures need to be employed. The two primary approaches to risk analysis are the Quantitative approach and the Qualitative approach.
Quantitative Risk Analysis
Quantitative Risk Analysis is numerical-based and tied directly to money, but it doesn’t seem easy for many organizations. A quantitative risk analysis aims to translate the likelihood and impact of risk into a measurable quantity. Quantitative risk assessment is based on realistic and measurable data to calculate the impact values that the risk will create with the probability of occurrence. This assessment focuses on mathematical and statistical bases and can express the risk values in monetary terms, which makes its results useful outside the context of the assessment (money loss is understandable for any business unit)
Quantitative risk analysis considerations:
- Business situations that require schedule and budget control planning.
- Large, complex issues/projects that need go/no go decisions.
- Business processes or issues where upper management wants more detail about the probability of completing on schedule and within budget.
Advantages of using quantitative risk analysis
- Objectivity in the assessment
- Powerful selling tool to management
- Direct projection of cost/benefit
- Flexibility to meet the needs of specific situations
- Flexibility to fit the needs of industries
- Much less prone to arouse disagreements during management review
- The analysis is often derived from some irrefutable facts.
Methods
- Heuristic methods—Experience-based or expert-based techniques to estimate contingency
- Three-point estimate—A method that uses the optimistic, most likely, and pessimistic values to determine the best estimate
- Decision tree analysis—A diagram that shows the implications of choosing various alternatives
- Expected monetary value (EMV)—A method used to establish the contingency reserves for a project or business process budget and schedule
- Monte Carlo analysis—A technique that uses optimistic, most likely, and pessimistic estimates to determine the business cost and project completion dates
- Sensitivity analysis—A method used to determine the risk that has the most significant impact on a project or business process
- Fault tree analysis (FTA) and failure modes and effects analysis (FMEA)—The analysis of a structured diagram that identifies elements that can cause a system failure
![\"\"](\"https://www.riskmetis.com/wp-content/uploads/2022/06/MoneyRisk.jpg\")
Some fundamental values are used in quantitative risk assessment:
- Single Loss Expectancy – SLE
- Annualized Rate of Occurrence – ARO
- Annualized Loss Expectancy – ALE
- Total Cost of Ownership – TCO
- Return on Investment – ROI
- Exposure Factor (EF): % of asset value (AV) at risk due to a threat
- Single Loss Expectancy (SLE): Asset Value (AV) x Exposure Factor (EF)
- Annualized Rate of Occurrence (ARO): Frequency of threat occurrence per year
- Annualized Loss Expectancy (ALE): Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)
![\"\"](\"https://www.riskmetis.com/wp-content/uploads/2022/06/FAIR.png\")
The Factor Analysis of Information Risk (FAIR) framework is one of the most famous quantitative risk analysis models in cybersecurity.
