10.7 A CLOSER LOOK AT QUANTITATIVE RISK ANALYSIS

10.7 A CLOSER LOOK AT QUANTITATIVE RISK ANALYSIS

Quantitative risk analysis emphasizes numerical expressions of risk in terms of an assets financial value. Unlike qualitative risk analysis, qualitative risk analysis assigns a monetary value to all assets before applying the probability or likelihood of the loss and the severity of the impact. For organizations with poor accounting practices, quantitative risk analysis is very difficult. Assets have an initial procurement cost, and each year they depreciate in value. If you don't know what the current values are of your assets, you will have to embark on a complex accounting project before you can begin a quantitative risk analysis project. For some organizations, the time required to acquire the background accounting information may not be feasible given the amount of time they have to complete a full risk analysis. However, quantitative risk analysis, if done correctly, offers a closer look at whether or not a risk should be mitigated or not, weighing the cost of the asset itself against the cost of applying the safeguard.

In quantitative risk analysis, risk exposure R (E) is tabulated by multiplying the likelihood of the potential loss by the severity of the potential loss. If we call the likelihood or probability of the potential loss P (L) and the severity of the potential loss

S (L) our risk equation looks like this:

Severity of the loss is represented in terms of a percentage, and is sometimes referred to as the exposure factor (EF). In some textbooks , you may see the above equation written as:

If the value of a database is $100,000, and a hacker breaks in and destroys 60% of it, the value of the database has been reduced by $60,000. The reduction in value of an asset from one threat incident is referred to as a single-loss expectancy (SLE). Therefore, the SLE for the particular threat in our example is $60,000.

You can interchange SLE with R (E). R (E) is the generic notation for any type of risk exposure, while SLE simply specifies that what we are talking about is one incident.

It is probably not likely that a hacker will break in and destroy 60% of our database every single day of the year, or even once a year. Therefore, we need to determine how many times a year we think a particular threat will exhibit itself in order to obtain more realistic SLE values. A value known as annualized rate of occurrence (ARO) gets factored into our equation. The ARO represents the estimated possibility that a specific threat will take place within a one calendar year. In short, ARO is the probability value P (L) adjusted to represent statistical yearly trends.

If ARO is really a type of P (L), it follows them that:

And also:

In our above database example, if we expect that a hacker will destroy 60% of a database once every 2 years, our risk equation is adjusted for the annualized rate of occurrence. When we use an adjusted probability such as an ARO, we say that our loss has been annualized. When we annualize our loss, we call our loss expectancy annualized loss expectancy or ALE.

Since the asset value, after the risk has been applied for one incident is the same as SLE, then:

Since the probability of some risk exposures is different in different geographical locations an exposure factor needs to be taken into consideration. For example it is much more likely that a tornado will occur in Illinois or Kansas than in say Maine. Likewise, it is much more likely that a hurricane will occur in Florida or North Carolina, than in Colorado. Since certain risk exposures are different in different geographical locations, AROs are established to normalize the probability factor. ARO tables that stipulate a Local Annual Frequency Estimate (LAFE), or a standard annual frequency estimate (SAFE), are established to normalize and account for geographical differences. LAFE is the number of times a particular threat is expected to occur in a small local geographic area such as Florida, and SAFE is the number of times a particular threat is expected to occur in a larger geographic area such as North America. ARO values (LAFE or SAFE) are typically represented as decimal values of rational numbers in threat frequency tables as seen in table X.

If the probability exists that a $100,000 database will be destroyed by a hurricane once every 5 years, our risk equation is calculated as follows:

Since we are using an ARO as the multiplier , and we have adjusted our probability factor to account for yearly statistical trends, we have in fact annualized our loss. As stated previously, when we annualize our loss, our risk exposure becomes an annualized loss expectancy (ALE). In our above equation, R (E)=ALE.

Now that we have calculated ALE, we can determine if what we should spend on a particular product safeguard to protect our asset. The golden rule for determining how much to spend on your safeguard is, don't spend more than the ALE. In our above example, we won't want to spend more than $20,000 to protect our database from the hurricane.

We have a maximum price that we know we should not exceed when purchasing a countermeasure such as a firewall. To find out the value of the countermeasure for each year considering its full life-cycle we use this equation:

Let's say a $15,000 firewall will last 3 years. Therefore, over a 3 year period:

Since $5000 is far less than the ALE, putting the firewall in place is clearly worth it.

When it comes to HIPAA, many assets are at risk. When using quantitative risk analysis, it takes a diligent program manager and an exhaustive process to ascertain the ALEs for all the assets. Without a full understanding of the process, and buy-in from the executive management team, you are better off using qualitative analysis to determine your exposure factors.