Subtitles of the Movie

Now that we've talked about vulnerabilities, threats and exposures and attack vectors and defense concepts, let's try to tie all this in together and talk about basic risk concepts. Now, a risk is something that we do every day, whether we know it or not. Risk analysis and risk management basically are used to determine how well our assets are protected and do they need additional protection? And we don't just make those decisions in an arbitrary way. We often have to figure out what our assets are worth and what the risk of something happening is and there are other factors that go in there as well. Let's talk about what risk is. Some people might say that risk is the likelihood that an event detrimental to security will occur. And that's probably accurate. Let's go a little bit more specific in terms that we've already discussed. It's the likelihood that a threat agent will exercise a threat against a particular vulnerability resulting in an exposure. And again, this may not necessarily be just an attack. It may be a natural disaster, it may be some other kind of human factor or may be a technological problem. Risk analysis and risk management are two closely related concepts and sometimes they are used interchangeably, but they're not necessarily the same thing. Risk analysis basically helps you to determine what the risk is to your security posture in terms we've already discussed, such as threat, vulnerability and exposure. Risk management, on the other hand, seeks to evaluate the risk and once you have that, to figure in the asset value, the mitigation cost and then reduce that risk. There's generally two kinds of risk analysis that we see; a quantitative and a qualitative risk analysis. Let's talk about what each one of those are. A quantitative risk analysis essentially is a risk analysis or risk assessment that tries to express risk and mitigation of risk in terms of concrete numbers; ratios, percentages, the probability of an event happening and it takes into account various numerical factors and expresses the risk in numerical factors and so forth. And quantitative risk basically is good if you have a lot of data and a lot of statistical research to back it up. But there's also qualitative risk and qualitative risk may be a better way to do it. Qualitative risk analysis also uses numbers to a certain degree, but it tends to express risk in terms of high, medium or low values. It's a little bit less heavy on the numerical computations than quantitative risk analysis is. Now, believe it or not, even though we live in a numbers world, and even in business we actually see qualitative risk assessments done more often than quantitative because again, we're dealing with people and we're also dealing with some factors sometimes that can't be quantified. So sometimes we have to use our best judgment based upon experience or we have to use historical trends that may tell us what the likelihood of a certain event happening is. So we tend to use qualitative risk assessments a little bit more and those are the ones that you're most likely to come in contact with on a daily basis. They're also the most easiest to do. A qualitative risk assessment uses an asset value, a cost of risk reduction or mitigation and other values to assess risk and determine whatever required protection there is for the asset. We're going to give you an example about how risk can be calculated, but let's talk about a few things that you can do with risk and how you can deal with risk as a business or even as an individual. We've already talked about the fact that risk can be reduced or mitigated. Fair enough. We can apply a patch to an operating system and reduce the risk that that operating system will be exposed through a certain vulnerability. No problem. Risk can also be transferred and when we say transferred, basically we're saying that another individual or another entity can assume the risk that we have incurred. A good example of this is insurance. You can transfer your risk to an insurance company. You can insure your business assets and so forth so if something happens, let's say a hurricane for example, insurance assumes that risk and the insurance company is going to pay you money for those assets. That's one way you can deal with risk. Another way, and unfortunately sometimes this happens more often than you might think, risk can be ignored. That is an action you can take. Unfortunately, risk generally doesn't go away by being ignored. So it's not probably the best course of action you could take. One thing you probably need to know is risk can almost never be eliminated. There's always going to be some residual risk left over, even after mitigation. I mean, it may be an extremely small level of risk, which is what you want, but the fact is it's still there. About the only way I could think of that you could actually eliminate the risk is to eliminate whatever is posing the risk in the first place. So if there are risks to your system, well, you could shut the system down and never plug it into the network. But then it wouldn't be very effective, would it? So risk can almost never be eliminated in the real world. Let's go through a few more basic risk terms that we'll talk about and then I'll give you an example about risk can be essentially calculated or managed. First, let's look at the concept of an asset. An asset basically is anything that you have in your business or even home that's valuable to you. Ok? It could be the system, the computer itself, but it could also be data, especially in a business. Data is a very valuable asset. Now, assets are normally expressed in terms of, you guessed it, dollars. We express an asset in terms of its monetary value, its worth. Assets can be tangible, such as servers or computer equipment, so forth, or they can be intangible. Sometimes data is considered intangible because it's hard to put a price tag on it. Something else like customer relations, for example. Good customer relations. That's hard to put a price tag on. You still put a dollar value on intangible, if possible. For example, you could say that your good customer relations, you could put a monetary value on that by saying if I didn't have these good customer relations, that would impact me in sales and I would lose X number of dollars per day. You could express it like that. You could also use the same thing with data, such as your customer list. If that customer list were suddenly stolen or compromised to a competitor, how many dollars per day would that cost you? Another term that we need to be familiar with is single-loss expectancy. Now, a single-loss expectancy might be expressed in a dollar value as far as how much money you would lose if you lost the asset. Now, with something tangible like a computer, that probably is fairly easy to calculate. If you lost a 500 dollar computer, then you would think your single-loss expectancy would be 500 dollars. Well, what if that asset also generated income every day? What if that 500 dollar computer generated X number of dollars per day and let's say you lost that 500 dollar computer? Your single-loss expectancy would be much more than just the cost of the computer. It would also be how much income you lost because that assets wasn't there. So sometimes single-loss expectancy can be a little bit more difficult to figure up. We abbreviate single-loss expectancy as SLE and we're going to need to know that in a few minutes when we talk about the formulas for risk. There's also something called an annualized rate of occurrence, or ARO. Now, an ARO is very simple. It's essentially how many times I expect a certain event to occur in one year. Let's say I do research at the National Weather Center and discover that tornados occur on average of five times per year in the area I live. We might say then the ARO would be five because a tornado, which might be what we're trying to protect against, would occur five times a year. I live. We might say then the ARO would be five because a tornado, which might be what we're trying to protect against, would occur five times a year.