Quantitative vs. Qualitative Analysis Assignments
varunydd2
risk_ppt15_l05.pptxManaging Risk in Information Systems
Lesson 5
Defining Risk Assessment Approaches
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective and Key Concepts
Learning Objectives
Describe techniques for identifying and analyzing relevant threats, vulnerabilities, and exploits
Key Concepts
Definition of a risk assessment
Components of risk assessments
Qualitative vs. quantitative risk assessment
When to perform risk assessments
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: CONCEPTS
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
What is Risk Assessment?
Key step in a risk management process
Determination of quantitative or qualitative value of risk
Conducted for concrete situation and recognized threat
Used to help identify which safeguards to implement
Required for evaluating risk or control
Often conducted after implementation of a control
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Critical Components of Risk Assessment
Determine scope of assessment
Identify critical areas
Identify team
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Identify Potential Scope for Web Server RA
Web server
Database server
Firewalls
DMZ
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quantitative and Qualitative RAs
Quantitative Risk Assessments
Calculates absolute financial values, losses, and costs
Qualitative Risk Assessments
Calculates relative values, losses, and costs
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Comparing Assessment Methods
Quantitative
Objective
Monetary values
Historical data
Key terms:
SLE, ARO, ALE
Qualitative
Subjective
Word values
Expert opinions
Key terms:
Probability and impact
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Assessment Challenges
Using static process to evaluate a moving target
Availability
Data consistency
Estimating impact effects
Providing results that support resource allocation and risk acceptance
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: PROCESS
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Qualitative Risk Assessment
Subjective
Probability
The likelihood that a threat will exploit a vulnerability
Impact
The negative result if a risk occurs
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Using a Risk Matrix
Matching probability and impact
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: ROLES
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
Risk Management Functions
Senior Management
IT Management
Functional Management & Employees
Contractors/Vendors
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12/12/2012
14
DISCOVER: CONTEXT
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
15
When Should Risk Assessment Be Conducted?
Prior to work that initiates risk
Periodically after initial RA
RA is a point-in-time assessment
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When Should Risk Assessments Be Reviewed?
New equipment
New software
New procedures
New business hazards
Periodically (such as annually)
During any significant change
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: RATIONALE
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
18
Why is Risk Assessment Important?
Protect Assets
Avoid down time
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Protecting your Assets
Hardware Assets
Software Assets
Personnel Assets
Data and Information Assets
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Avoiding Down Time
Down time creates potential loss
Staying on schedule critical to production
Enhances customer relationships
Reduce SLE and ALE costs
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Definition of a risk assessment
Components of risk assessments
Qualitative vs. quantitative risk assessment
When to perform risk assessments
Page ‹#›
Managing Risk in Information Systems
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
