1
00:00:00,005 --> 00:00:01,007
- [Instructor] When we're able to gather

2
00:00:01,007 --> 00:00:05,001
quantitative data about
our assets and risks,

3
00:00:05,001 --> 00:00:06,005
we can you that information

4
00:00:06,005 --> 00:00:10,002
to make data-informed
decisions about risk.

5
00:00:10,002 --> 00:00:11,009
The process of using numeric data

6
00:00:11,009 --> 00:00:14,004
to assist in risk decisions is known

7
00:00:14,004 --> 00:00:16,008
as quantitative risk assessment.

8
00:00:16,008 --> 00:00:18,006
Security professionals performing

9
00:00:18,006 --> 00:00:20,008
quantitative risk assessment do so

10
00:00:20,008 --> 00:00:23,007
for a single risk/asset pairing.

11
00:00:23,007 --> 00:00:26,001
For example, they might
conduct an assessment

12
00:00:26,001 --> 00:00:27,005
based upon the risk of flooding

13
00:00:27,005 --> 00:00:29,004
to a data center facility.

14
00:00:29,004 --> 00:00:31,003
As they conduct this assessment,

15
00:00:31,003 --> 00:00:34,006
they must first determine the
values for several variables.

16
00:00:34,006 --> 00:00:38,009
The first of these variables
is the asset value, or AV.

17
00:00:38,009 --> 00:00:42,006
This is, quite simply, the
estimated value in dollars

18
00:00:42,006 --> 00:00:44,005
of the asset.

19
00:00:44,005 --> 00:00:47,001
Risk assessors determining
an asset's value

20
00:00:47,001 --> 00:00:49,006
have several options at their disposal.

21
00:00:49,006 --> 00:00:52,007
The original cost technique
simply looks at invoices

22
00:00:52,007 --> 00:00:54,002
from an asset purchase

23
00:00:54,002 --> 00:00:57,008
and uses the purchase prices
to determine the asset value.

24
00:00:57,008 --> 00:01:00,001
This is the easiest technique to perform

25
00:01:00,001 --> 00:01:03,002
because it simply requires
looking at invoices,

26
00:01:03,002 --> 00:01:05,003
however, it is often criticized

27
00:01:05,003 --> 00:01:08,003
because the cost to
actually replace an asset

28
00:01:08,003 --> 00:01:09,008
may be significantly higher

29
00:01:09,008 --> 00:01:13,009
or lower if asset prices
have changed since purchase.

30
00:01:13,009 --> 00:01:17,003
The depreciated cost technique
is an accounting favorite.

31
00:01:17,003 --> 00:01:19,004
It begins with the original cost

32
00:01:19,004 --> 00:01:23,006
and then reduces the value of
an asset over time as it ages.

33
00:01:23,006 --> 00:01:26,000
The depreciation
technique uses an estimate

34
00:01:26,000 --> 00:01:27,009
of the asset's useful life

35
00:01:27,009 --> 00:01:30,008
and then gradually
decreases the asset value

36
00:01:30,008 --> 00:01:34,007
until it reaches zero at the
end of its projected lifespan.

37
00:01:34,007 --> 00:01:37,006
The replacement cost
technique is the most popular

38
00:01:37,006 --> 00:01:40,007
among risk managers
because it produces results

39
00:01:40,007 --> 00:01:43,009
that most closely
approximate the actual costs

40
00:01:43,009 --> 00:01:47,007
that an organization will
incur if a risk materializes.

41
00:01:47,007 --> 00:01:49,009
The replacement cost technique goes out

42
00:01:49,009 --> 00:01:52,003
and looks at current supplier prices

43
00:01:52,003 --> 00:01:54,000
to determine the actual cost

44
00:01:54,000 --> 00:01:56,008
of replacing an asset
in the current market

45
00:01:56,008 --> 00:01:59,008
and then uses that cost
as the asset's value.

46
00:01:59,008 --> 00:02:01,001
We might use this technique

47
00:02:01,001 --> 00:02:03,007
to value a data center at $20 million

48
00:02:03,007 --> 00:02:05,001
because that is the amount of money

49
00:02:05,001 --> 00:02:08,007
that would be required to
rebuild it after a disaster.

50
00:02:08,007 --> 00:02:10,006
The second variable that we must consider

51
00:02:10,006 --> 00:02:13,008
is the exposure factor, or EF.

52
00:02:13,008 --> 00:02:15,005
The exposure factor is based upon

53
00:02:15,005 --> 00:02:18,004
the specific risk
considered in the analysis

54
00:02:18,004 --> 00:02:21,000
and it estimates the
percentage of that asset

55
00:02:21,000 --> 00:02:24,000
that will be damaged
if a risk materializes.

56
00:02:24,000 --> 00:02:27,004
For example, if we expect
a flood might damage 50%

57
00:02:27,004 --> 00:02:30,002
of our data center, we'd
set the exposure factor

58
00:02:30,002 --> 00:02:32,009
for that flood to 50%.

59
00:02:32,009 --> 00:02:35,004
The next quantitative
risk assessment variable

60
00:02:35,004 --> 00:02:38,009
is the single-loss expectancy, or SLE.

61
00:02:38,009 --> 00:02:40,008
This is the actual damage we expect

62
00:02:40,008 --> 00:02:44,004
to occur if a risk materializes once.

63
00:02:44,004 --> 00:02:48,004
We compute the SLE by
multiplying the asset value

64
00:02:48,004 --> 00:02:50,002
by the exposure factor.

65
00:02:50,002 --> 00:02:54,001
So, if we have a data
center valued at $20 million

66
00:02:54,001 --> 00:02:56,009
and expect that a flood
would cause 50% damage

67
00:02:56,009 --> 00:02:59,009
to the facility, we compute our SLE

68
00:02:59,009 --> 00:03:02,003
by multiplying these two numbers together

69
00:03:02,003 --> 00:03:04,002
and finding that a single flood

70
00:03:04,002 --> 00:03:06,007
would cause $10 million in damage.

71
00:03:06,007 --> 00:03:09,001
That's the impact of the risk.

72
00:03:09,001 --> 00:03:12,004
The SLE only gives us an idea of impact.

73
00:03:12,004 --> 00:03:15,006
As you know, risk assessment
must also consider

74
00:03:15,006 --> 00:03:17,005
the likelihood of a risk.

75
00:03:17,005 --> 00:03:20,009
That's where the annualized
rate of occurrence, or ARO,

76
00:03:20,009 --> 00:03:22,003
comes into play.

77
00:03:22,003 --> 00:03:24,008
The ARO is the number of times each year

78
00:03:24,008 --> 00:03:27,000
that we expect a risk to occur.

79
00:03:27,000 --> 00:03:30,007
In the case of a flood, we
might consult FEMA Flood Maps

80
00:03:30,007 --> 00:03:33,004
and determine that there
is a 1% annual risk

81
00:03:33,004 --> 00:03:36,002
of flood in the vicinity
of our data center.

82
00:03:36,002 --> 00:03:39,008
That's the same as saying
that we expect 0.01 floods

83
00:03:39,008 --> 00:03:45,000
to occur each year, so our ARO is 0.01.

84
00:03:45,000 --> 00:03:48,003
Finally, a risk analysis
should incorporate both

85
00:03:48,003 --> 00:03:51,000
of these likelihood and impact values.

86
00:03:51,000 --> 00:03:54,009
We do this by computing the
annualized loss expectancy,

87
00:03:54,009 --> 00:03:56,003
or ALE.

88
00:03:56,003 --> 00:03:58,001
This is the amount of money we expect

89
00:03:58,001 --> 00:04:01,002
to lose each year from that risk

90
00:04:01,002 --> 00:04:03,005
and it's a good measure
of the overall risk

91
00:04:03,005 --> 00:04:05,000
to the organization.

92
00:04:05,000 --> 00:04:09,007
We compute the ALE by multiplying
the single-loss expectancy

93
00:04:09,007 --> 00:04:12,007
and the annualized rate
of occurrence together.

94
00:04:12,007 --> 00:04:15,001
In the case of flood
risk to our data center,

95
00:04:15,001 --> 00:04:17,007
the SLE was $10 million

96
00:04:17,007 --> 00:04:20,008
and the ARO was 0.01.

97
00:04:20,008 --> 00:04:22,005
Multiplying these together,

98
00:04:22,005 --> 00:04:27,001
we get an annualized loss
expectancy of $100,000.

99
00:04:27,001 --> 00:04:32,003
This means that we should expect
to lose $100,000 each year

100
00:04:32,003 --> 00:04:34,006
from the risk of flooding
to our data center.

101
00:04:34,006 --> 00:04:37,003
It is important to
remember that in reality,

102
00:04:37,003 --> 00:04:39,009
this cost won't occur each year.

103
00:04:39,009 --> 00:04:43,001
What will really have
happened is $10 million

104
00:04:43,001 --> 00:04:46,001
in damage each time a flood occurs,

105
00:04:46,001 --> 00:04:48,000
but since we expect that to happen

106
00:04:48,000 --> 00:04:50,002
only once every 100 years,

107
00:04:50,002 --> 00:04:53,006
it averages out to $100,000 a year.

108
00:04:53,006 --> 00:04:57,001
That's how you perform a
quantitative risk analysis.

109
00:04:57,001 --> 00:04:59,008
You should definitely
memorize these formulas

110
00:04:59,008 --> 00:05:02,003
and be prepared to
compute them on the exam

111
00:05:02,003 --> 00:05:04,003
if given a scenario.

112
00:05:04,003 --> 00:05:07,004
Quantitative techniques also
help us assess our ability

113
00:05:07,004 --> 00:05:10,008
to restore IT services
and components quickly

114
00:05:10,008 --> 00:05:12,004
in the event of a failure.

115
00:05:12,004 --> 00:05:15,008
We do this by looking
at several time values.

116
00:05:15,008 --> 00:05:17,006
The values we use depend upon

117
00:05:17,006 --> 00:05:21,004
whether an asset is
repairable or non-repairable.

118
00:05:21,004 --> 00:05:23,001
That is, whether we can fix it

119
00:05:23,001 --> 00:05:25,003
or whether it needs to be replaced.

120
00:05:25,003 --> 00:05:29,002
For non-repairable assets,
those that we cannot fix,

121
00:05:29,002 --> 00:05:32,008
our most important metric
is the mean time to failure,

122
00:05:32,008 --> 00:05:34,009
or MTTF.

123
00:05:34,009 --> 00:05:37,003
This is the amount of time
that we expect will pass

124
00:05:37,003 --> 00:05:39,003
before an asset fails.

125
00:05:39,003 --> 00:05:42,008
When using mean values,
it's important to remember

126
00:05:42,008 --> 00:05:44,007
that these are averages.

127
00:05:44,007 --> 00:05:49,008
Half of the assets of this
type will fail before the MTTF

128
00:05:49,008 --> 00:05:53,000
and half will last longer
than the average value.

129
00:05:53,000 --> 00:05:56,000
Mean values are useful
for planning purposes,

130
00:05:56,000 --> 00:05:58,007
but you shouldn't
completely depend upon them.

131
00:05:58,007 --> 00:06:02,006
If an asset is repairable, we
look at two different values.

132
00:06:02,006 --> 00:06:07,009
The first is the mean time
between failures, or MTBF.

133
00:06:07,009 --> 00:06:10,008
This is quite similar to the MTTF.

134
00:06:10,008 --> 00:06:12,007
It's simply the average amount of time

135
00:06:12,007 --> 00:06:17,002
that passes between failures
of a repairable asset.

136
00:06:17,002 --> 00:06:20,001
The second value we track
for repairable assets

137
00:06:20,001 --> 00:06:23,009
is the mean time to repair, or MTTR.

138
00:06:23,009 --> 00:06:26,006
This is the amount of time
that an asset will be out

139
00:06:26,006 --> 00:06:30,002
of service for repair
each time that it fails.

140
00:06:30,002 --> 00:06:34,008
When we look at the MTTF
and MTTR values together,

141
00:06:34,008 --> 00:06:38,001
we can get a good idea
of the expected downtime

142
00:06:38,001 --> 00:06:40,002
for an IT service or a component.