Domain 5 · 5.2 Risk Management

5.2.2 Risk Analysis

Qualitative, quantitative, SLE, ALE, ARO.

14 min

Risk analysis is the process of identifying potential threats and evaluating the likelihood and impact of those threats to prioritize security efforts.

Quantitative Risk Assessment This method uses objective, numerical data to determine the financial impact of a risk. While precise, it can be hindered by incomplete data or subjective "educated guesses" disguised as numbers. - Asset Value (AV): The total monetary worth of the asset (e.g., a $2M data center). - Exposure Factor (EF): The percentage of the asset lost when a specific threat occurs (e.g., a tornado causing 20% damage). - Single Loss Expectancy (SLE): The cost of a single incident. Formula: AV × EF. - Annualized Rate of Occurrence (ARO): How many times a year the event is expected to happen (e.g., 7 tornadoes/year). - Annualized Loss Expectancy (ALE): The total yearly cost of a risk, used for budgeting controls. Formula: SLE × ARO.

Qualitative Risk Assessment This method relies on professional judgment and experience rather than pure math. It is often preferred when data is subjective or difficult to quantify. - Likelihood: The probability of a threat occurring, often ranked as High, Medium, or Low. - Impact: The severity of the damage (e.g., Critical, Major, or Minor). - Risk Matrix: A visual tool (heat map) that plots Likelihood against Impact to prioritize which risks to address first.

Key Risk Concepts and States Risk is dynamic; it changes as security measures are implemented or as systems fail. - Inherent Risk: The level of risk present before any security controls or mitigations are applied. - Residual Risk: The risk that remains after a control has been implemented. Organizations must decide to accept this or add more controls. - Control Risk: The probability that an internal security control will fail to perform its intended function. - Risk Avoidance: Deciding not to engage in a specific business activity because the potential loss outweighs the benefit.

Risk Control Assessment Once a control is in place, it must be evaluated for effectiveness. - Efficiency: Does the control provide enough mitigation to justify its cost? - Secondary Risk: Does the application of a new control unknowingly create a brand-new vulnerability? - Assessment Methods: Often involve outside sources or third-party auditors to judge the quality and strength of implemented controls.

Quick Recall - Quantitative = Dollar amounts and mathematical formulas. - Qualitative = Subjective rankings and "gut feel" expertise. - ALE = SLE multiplied by ARO. - SLE = Asset Value multiplied by Exposure Factor. - Inherent = No controls; Residual = Remaining risk.