2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	80/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 76 77 78 79 80 81 82 83 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Quantitative Risk Analysis

Risk Assessment/Analysis
Risk management/analysis is primarily an exercise for upper management. It is their
responsibility to initiate and support risk analysis and assessment by defining the scope
and purpose of the endeavor. The actual processes of performing risk analysis are often
delegated to security professionals or an evaluation team. However, all risk assessments,
results, decisions, and outcomes must be understood and approved by upper management
as an element in providing prudent due care.
All IT systems have risk. There is no way to eliminate 100 percent of all risks. Instead,
upper management must decide which risks are acceptable and which are not. Determining
which risks are acceptable requires detailed and complex asset and risk assessments.
Once you develop a list of threats, you must individually evaluate each threat and its
related risk. There are two risk assessment methodologies: quantitative and qualitative.
Quantitative risk analysis
assigns real dollar figures to the loss of an asset.
Qualitative
risk analysis
assigns subjective and intangible values to the loss of an asset. Both meth-
ods are necessary for a complete risk analysis. Most environments employ a hybrid of
both risk assessment methodologies in order to gain a balanced view of their security
concerns.
Quantitative Risk Analysis
The quantitative method results in concrete probability percentages. That means the end
result is a report that has dollar figures for levels of risk, potential loss, cost of countermea-
sures, and value of safeguards. This report is usually fairly easy to understand, especially

Understand and Apply Risk Management Concepts
69
for anyone with knowledge of spreadsheets and budget reports. Think of quantitative
analysis as the act of assigning a quantity to risk—in other words, placing a dollar figure on
each asset and threat. However, a purely quantitative analysis is not sufficient; not all ele-
ments and aspects of the analysis can be quantified because some are qualitative, subjective,
or intangible.
The process of quantitative risk analysis starts with asset valuation and threat identifica-
tion. Next, you estimate the potential and frequency of each risk. This information is then
used to calculate various cost functions that are used to evaluate safeguards.
The six major steps or phases in quantitative risk analysis are as follows (Figure 2.5):
1.
Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further
in a later section of this chapter named “Asset Valuation.”)
2.
Research each asset, and produce a list of all possible threats of each individual asset.
For each listed threat, calculate the exposure factor (EF) and single loss expectancy
(SLE).
3.
Perform a threat analysis to calculate the likelihood of each threat being realized
within a single year—that is, the annualized rate of occurrence (ARO).

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 76 77 78 79 80 81 82 83 ... 881