CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:00
all right. Now, when we conduct assessment, I want to stress that assessment and analysis. Maybe used interchangeably, Okay? They're both, You know, different entities use different terms, but they mean the same thing we're determining about now. Value could be one of two types. It could be
00:17
qualitative value or quantitative.
00:21
So qualitative analysis is a starting point. You can't just jump to quantitative analysis of purely quantitative analysis is just not possible. Okay, you have to start with quality. And a qualitative analysis is subjective. You know, when we're brainstorming,
00:41
we're doing qualitative analysis.
00:43
For instance, um,
00:46
I'm planning a picnic three weeks from now. What's something that could threaten that pigment?
00:52
All right. And I'm guessing 99% of you immediately said weapon
00:58
rain, something along those lines I'd say 99% because there's always that 1% that's thinking like UFOs and alien abductions. But most of us go straight to thinking about weather. Why? Because based on our personal experiences, we know that weather can wash out picnics, right?
01:18
They could make picnics unsuccessful.
01:19
Many of us have probably been on a picnic. We had to cancel because of rain. It's based on our experience and our knowledge. It didn't take anybody very long to come up with the idea of rain
01:30
you just did. It's qualitative analysis, and that's its benefit. It's not expensive. It doesn't take a long time. We don't have to do high end research,
01:38
but it doesn't really tell me how much money I should spend to mitigate the threat of rain.
01:45
Writer. The Risk of Rain It just tells me that, Hey, this is something I'd better address a lot of times with qualitative analysis one way that we can get honest feedback from individuals and our subject matter experts. And whoever work wearing is to use what's called the Delphi technique
02:04
and and the Delphi technique
02:07
is anonymous survey. So I might send out a survey, don't put your name on it, fill out this chart or allow people in some way to provide that feedback anonymously. People are more honest when they're allowed to make anonymous feedback.
02:23
All right, so that's my qualitative analysis. Often, when we're talking about qualitative analysis or qualitative assessments, we might use what we refer to as a probability and impact matrix. So in this instance, we might say Okay, on a scale of
02:42
high, medium low.
02:44
If we think about, um,
02:46
malware exploits to systems, how likely is that to happen if we don't do anything? If we don't do anything, that's real high likelihood
02:57
Well, how big an impact would it be? Very high impact. So when you've got things that are high impact and high probability, that tells me we need a very active mitigation strategy. We're not just gonna sit back and hope it doesn't happen
03:13
now, as I prioritize things lower. Well, then I may be more willing to have a more relaxed medication strategy.
03:22
That's the purpose of qualitative analysis. Really What I could do with my qualitative assessments. You know, once I have this kind of risk ranking, then I consort and basically say, Okay, so in this chart, anything that has a value of two or less, maybe,
03:39
you know, maybe, uh, top priority,
03:45
find anything for three year blow, whatever. You know, maybe low priority. But ultimately, it's just a way of identifying and prioritising risks What I'd really like to get to and I can't do this for everything. I'd like to get a quantitative announced.
04:00
Tell me the dollars how much money is associated with this risk? What do I stand to lose? Because if you tell me that per year, I'm currently losing $8000.
04:14
But you can
04:15
eliminate that risk for $1000. That's a really good deal to me,
04:20
right? It's that quantitative analysis that allows us to make good business decisions. Quantitative analysis ultimately provides justification for our mitigation strategy.
04:32
All right, cost benefit analysis, quantitative analysis. This is how we determine, and we make a good business decision on how we mitigate risk.
04:44
All right, now you know
04:46
classes just not fun. If there isn't some math, if there aren't some formulas and some definitions to memorize, I would hate to disappoint. So for your enjoyment, I have an entire slide full of terms to memorize. Here's what I find is people make way too big a deal
05:05
of what's here.
05:08
Hey, people get all tied up in the Oh, my gosh, I've gotta memorize a formula that they just stop and think about what these things mean.
05:16
All right, so what I'm trying to figure out
05:20
ultimately what's most helpful to me,
05:24
s l e and a Lee. This is kind of what I'm trying to work towards a single loss expectancy. I want to know every time this risk event materializes, what does it cost?
05:35
Hey,
05:38
single loss expectancy. But
05:42
even if it's something that has a huge single loss expectancy, that only happens once every 100 years. I don't you know it's not a big deal. So in addition to wanting to know the single loss expectancy, I'd also like to know the annual walls expectancy.
05:56
So in the grand scheme of things, what does it break down to on a yearly basis? Right, That's much more manageable.
06:02
Every time I have a fire, it might cost me half a $1,000,000. But how often do I have a fire?
06:10
So
06:11
ultimately, what we're working for is to figure out a single loss and then ultimately an annual loss. So let's work with single loss expectancy first. Okay,
06:21
so
06:24
every time the risk event happens, what does it cost me?
06:27
Easiest way to think. All right, um,
06:32
in order to figure out single loss expectancy, we used to values asset value and exposure factor.
06:41
Okay?
06:42
We said, always start with the value of your asset. I have a $300,000 warehouse. Well, that's your ***. It felt
06:48
pure and simple.
06:51
What's the value of what you're protecting now? If you were to see questions on the exam about this, they're not going to try to get fancy or trick you. If I tell you the value of my warehouses. $300,000.
07:04
That's what the value is, right? You don't have the thing. Well, yes, but as the real estate market improves and when we think about interest will think about, you know, maybe in five years
07:16
let your mind rest. If I tell you the value of the warehouse is $300,000 that's what it's work. OK, so don't over think he's now. An exception to that is I have a $300,000 warehouse that houses $75,000 worth of equipment. Well, in that case you have, you do have Adam together,
07:36
right, because it's the cumulative value,
07:39
but ultimately single loss expectancy. When this threat happens when it materializes, how much of my asset do I lose? All right, so let's talk about maybe fire,
07:53
Okay?
07:56
I can figure out the value of Maya said, I've got a $300,000 warehouse. It can be difficult to figure out exposure factor for something like fire. Right, Because exposure factor is how much of the asset will I lose? Well, if I have a fire, how much of my home or how much my warehouse
08:13
will be compromised will be destroyed?
08:16
I don't know.
08:18
Well, that's not what this test about. I don't have to come up with that. Value are justified. I just gotta plug the numbers into a valley. Right. That's the real work of risk management, though, is determining. Okay, here is the amount of damage that this house will suffer.
08:35
They're not trying to test if you're gonna be an insurance agent here. An actuary, they just want to know. Do you get
08:41
okay, So exposure factors, What percent off loss? The asset will suffer in reality. I could talk to insurance agents. You know, if we're gonna use this example of a fire, I could look at the building material
08:56
that's used for the building. I could look at what we store. I could think about proximity to fire
09:03
a fire department I can think about, You know, their 1,000,000 things. The bottom line is not my problem. Okay, so all of this said I want to figure out how much money it costs me every time I have a fire in my warehouse. All right, Well, my warehouses were $300,000.
09:22
Every time there's a fire,
09:24
I lose 50% of the asset. Okay, I lose 50% of my building. So every time there's a fire, what does it cost me?
09:31
Cost me 100 $50,000 right? I lose 50% of a $300,000 asset.
09:39
They're do any crazy map, like, you know, 37.9% of 439,016. It's gonna be very basic. And all they're trying to test for is do you get the highlights of risk analysis? So every time I have a fire, I lose $150,000.
10:00
But we know I'm not gonna have a fire three times a year.
10:03
I may have a fire once every 10 years or once every 20 years, so that's really going to drive my annual loss expectancy. We've already figured out our single loss expectancy. Right. I'm gonna lose 50% of a $300,000 asset
10:18
$150,000 single loss expectancy
10:22
if I were to have a fire twice a year on lose $300,000 a year.
10:28
But I'm likely only to have a fire once every 10 years, once every 50 years, once every 20 years. So whatever
10:35
that value is that's referred to is the annual rate of occurrence. That's the probability of a risk happening.
10:43
Okay, so
10:46
if you look at how much money you lose every time the event materializes, the single loss
10:54
you look at, how often the risk materializes that's gonna tell you your annual value.
11:01
Every heart, Every time a hard drive fails, it costs the organization $3000 through replacement loss, productive ity and man hours. Okay, so every time the hard drive fails, cost me $3000. Hard drive fails three times a year. What's my annual loss expectancy? 9000 bucks.
11:20
So if I'm losing $9000 every single year,
11:26
would I spend $5000 to mitigate that?
11:30
Yeah, probably said
11:31
right. So this is the basis of determining what are mitigation. Strategy is gonna be
11:39
okay Now, when we look at the cost of control again. The premise here is I'm not gonna spend Maur protecting an asset in the assets were
11:48
we have to consider when we're evaluating controls things like total cost of ownership.
11:54
Because when we think about total cost of ownership there, maybe controls we can implement that are fairly cheap up front. But there may be an ongoing maintenance.
12:03
Right? Um,
12:05
I don't know if any of you guys had the ink jet printers and, man, great deal. Here's an inkjet printer for 39 95. Well, that's great. You take it home, you print 20 times and then what happens? Your cartridge Just out of ink, you go to the store. I remember the first time
12:22
I went to buy replacement cartridge for my inkjet printer. I was like,
12:24
um
12:26
what?
12:28
This is almost a CE much. I might as well just buy new printer every time I'm out of ink, right? So even though it may have a very cheap up front cost, it has a very high total cost of ownership. We have to examine those pieces and ultimately, what am I looking for? I'm looking to implement a control
12:46
that has a positive return on investment.
12:48
I'm looking for control.
12:52
That mitigates the risk to my business to a degree that's acceptable by senior management. Okay, don't get so caught up in these terms and these formulas step back and just think about what they mean, right? Single loss.
13:07
$3000.
13:09
Actually, I think about the risk of losing my money to my nephew. My nephew is adorable. He's lovely. He's askew. Tuscan be.
13:22
Every time I see him, I lose half the contents of my wallet.
13:26
Okay?
13:26
They usually have about 100 bucks in my wallet Every time I see Patrick, God love him. Cost me 50 bucks, right? An asset value of $100. I was 50% of it. Every time he shows up a single waltz expectancy of 50 bucks. Now, that's not such a big deal with only see Patrick every
13:46
you know,
13:48
45 months. But, man, if this money grubbing kid is coming to see me four times a week well, all of a sudden we've got a problem, right? So what it really comes down to single loss is important yet. But how much is it costing me? Big picture Annual loss gives me a lot of information, and often
14:07
I look at my cost of mitigation
14:09
up against annual loss.

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor