You are currently viewing CISSP certification: Quantitative Risk Analysis.

CISSP certification: Quantitative Risk Analysis.

  • Quantitative Risk Analysis – We want exactly enough security for our needs.
    • We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
    • Asset Value (AV) – How much is the asset worth?
    • Exposure factor (EF) – Percentage of Asset Value lost?
    • Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
    • Annual Rate of Occurrence (ARO) – How often will this happen each year?
    • Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
    • Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally Operational)
  • Laptop – Theft/Loss (unencrypted).
    • The Laptop ($1,000) + PII ($9,000) per loss (AV).
    • It is a 100% loss, it is gone (EF)
    • Loss per laptop is $10,000 (AV) x 100% EF) = (SLE)
    • The organization loses 25 Laptops Per Year (ARO)
    • The annualized loss is $250,000 (ALE)
  • Data Center – Flooding
    • The Data Center is valued at $10,000,000 (AV)
    • If a flooding happens 15% of the DC is compromised (EF)
    • Loss per Flooding is $10,000,000 (AV) x 15% EF) = (SLE)
    • The flooding happens every 4 years = 0.25 (ARO)
    • The annualized loss is $375,000 (ALE)
Tags: , , , , , , , , ,

Thor Pedersen

IT, information security, and project management trainer Best selling CISSP. CISM, and PMP instructor on Udemy. CISSP, CISM, C|EH, CDPSE, PMP, 2x CCNP, CompTIA Security+, SCP, 3x CCNA, et. Al.