If you’re planning to take the SY0-501 version of the Security+ exam, you should understand risk management processes and concepts. This includes risk assessment, or risk analysis, as an important task in risk management. It quantifies or qualifies risks based on different values or judgments. A risk assessment starts by first identifying assets and asset values.
For example, can you answer this question?
Q. Your organization includes an e-commerce web site used to sell digital products. You are tasked with evaluating all the elements used to support this web site. What are you performing?
A. Quantitative assessment
B. Qualitative assessment
C. Threat assessment
D. Supply chain assessment
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Risk assessments use quantitative measurements or qualitative measurements. Quantitative measurements use numbers, such as a monetary figure representing cost and asset values. Qualitative measurements use judgments. Both methods have the same core goal of helping management make educated decisions based on priorities.
Quantitative Risk Assessment
A quantitative risk assessment measures the risk using a specific monetary amount. This monetary amount makes it easier to prioritize risks. For example, a risk with a potential loss of $30,000 is much more important than a risk with a potential loss of $1,000.
The asset value is an important element in a quantitative risk assessment. It may include the revenue value or replacement value of an asset. A web server may generate $10,000 in revenue per hour. If the web server fails, the company will lose $10,000 in direct sales each hour it’s down, plus the cost to repair it. It can also result in the loss of future business if customers take their business elsewhere. In contrast, the failure of a library workstation may cost a maximum of $1,000 to replace it.
One commonly used quantitative model uses the following values to determine risks:
• Single loss expectancy (SLE). The SLE is the cost of any single loss.
• Annual rate of occurrence (ARO). The ARO indicates how many times the loss will occur in a year. If the ARO is less than 1, the ARO is represented as a percentage. For example, if you anticipate the occurrence once every two years, the ARO is 50 percent or.5.
• Annual loss expectancy (ALE). The ALE is the value of SLE × ARO.
Qualitative Risk Assessment
A qualitative risk assessment uses judgment to categorize risks based on likelihood of occurrence (or probability) and impact. The likelihood of occurrence is the probability that an event will occur, such as the likelihood that a threat will attempt to exploit a vulnerability. Impact is the magnitude of harm resulting from a risk. It includes the negative results of an event, such as the loss of confidentiality, integrity, or availability of a system or data.
Notice that this is much different from the exact numbers provided by a quantitative assessment that uses monetary figures. You can think of quantitative as using a quantity or a number, whereas qualitative is related to quality, which is often a matter of judgment.
Some qualitative risk assessments use surveys or focus groups. They canvass experts to provide their best judgments and then tabulate the results. For example, a survey may ask the experts to rate the probability and impact of risks associated with a web server selling products on the Internet and a library workstation without Internet access. The experts would use words such as low, medium, and high to rate them.
They could rate the probability of a web server being attacked as high, and if the attack takes the web server out of service, the impact is also high. On the other hand, the probability of a library workstation being attacked is low, and, even though a library patron may be inconvenienced, the impact is also low.
Supply Chain Assessment
A supply chain includes all the elements required to produce and sell a product. As a simple example, consider the Lard Lad Donuts store. They require a steady supply of flour, sugar, eggs, milk, oil, and other ingredients. They also require equipment such as refrigerators to store raw materials, space to manufacture the donuts, and fryers to cook them. Last, they need a method to sell the donuts to customers. If any of these items fail, the company won’t be able to make and sell donuts.
It’s important to realize that the supply chain isn’t only the supply of raw materials. It also includes all the processes required to create and distribute a finished product.
A supply chain assessment evaluates these elements—the raw materials supply sources and all the processes required to create, sell, and distribute the product. In some cases, the assessment focuses on identifying risks. For example, are there any raw materials that come from only a single source? It would also examine processes and identify any tasks or steps that represent a single point of failure. If the donut store has only one fryer, it is a single point of failure. If it breaks, all sales stop.
Many organizations have mature supply chains. In other words, they have multiple sources in place for all raw materials. The failure of any single supply source will not affect the organization’s ability to create and sell its products. Similarly, they have built-in redundancies in their processes. If any internal processes fail, they have alternative methods ready to implement and keep the organization operating.
Organizations with mature supply chains still perform supply chain assessments. The goal of these assessments is to look for methods to improve the supply chain.
Q. Your organization includes an e-commerce web site used to sell digital products. You are tasked with evaluating all the elements used to support this web site. What are you performing?
A. Quantitative assessment
B. Qualitative assessment
C. Threat assessment
D. Supply chain assessment
Answer is D. A supply chain assessment evaluates all the elements used to create, sell, and distribute a product.
Risk assessments (including both quantitative and qualitative risk assessments) evaluate risks, but don’t evaluate the supply chain required to support an e-commerce web site.
A threat assessment evaluates threats.
See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on risk management.