## Thursday, January 24, 2019

### On Security - Quantitative Risk Analysis

Quantitative risk analysis is laborious but straightforward. The benefits for companies practicing it is huge as just subjective analysis might lead to far from ideal decisions.

Since I am mentioning risk analysis in all my Secure Translation posts I figured that I should have a dedicated post about how to get quantitative risk analysis in place.

Start with a simple spreadsheet that includes each affected asset name, the asset value (AV), the threat, the annualized rate of occurrence (ARO), the exposure factor (EF), the single loss expectancy (SLE=AV*EF), the annualized loss expectancy without a safeguard (ALE1=ARO*SLE), the annual cost of safeguard (ACS), the ALE after safeguard (ALE2), and the Value (Cost or Benefit) of the Safeguard (VS=(ALE1-ALE2)-ACS).

An objective analysis demands that we calculate the annualized loss expectancy of every asset accompanied by a decision about mitigation or acceptance of risk.

For example: If a printer used to send checks would break what is the impact to the business?

To respond this question record the asset value, let us say the printer costs \$1000 and therefore that is the asset value (AV).

Let us say that this threat has an annualized rate of occurrence (ARO) of 2, which means that the printer could break twice in a year.

Let us say that the exposure factor (EF) will be 1, which means that there is 100% of complete loss of the asset value if the risk materializes (In USA the usual is to replace rather than to repair ... unfortunately).

The single loss expectancy is (SLE=AV*EF=\$1000) and the annualized loss expectancy is (ALE=ARO*2=\$2000).

To mitigate this exposure, the risk committee debates possible safeguards like for example going OPEX which allows a printer provider to guarantee a printer within 24 hours. Let's say that this agreement for the printer has an annual cost of safeguard (ACS) of \$1000/year and that with it we totally eliminate the risk resulting in a new ALE2 of \$0.

We then calculate the value of the Safeguard (VS=(ALE1-ALE2)-ACS=\$2000-\$0-\$1000=\$1000).

This is repeated with all possible safeguards and the company picks the one with higher number"

Of course this gets a bit more complicated because an investment usually protects multiple assets but I leave that part as a homework ;-)