CISSP D1 Preview | Risk Management Assessment – Part 1

In this lecture, we’re going to look at our risk assessment.
We have now a very clear picture of all the assets that we have, we have identified the risks and now we do our qualitative and quantitative risk analysis. 
We do our risk register.
And then we probably also do an uncertainty analysis, because even with the quantitative risk analysis, everything that we do here is really just our best guesses. We guess if this happens, then this is how bad it’s going to be.
Even if we are great at what we do, we do not have a magic crystal ball where we can see all the right numbers, but our hard work and our due diligence and due care should give them a reasonable, accurate picture of how bad the risks are and how much mitigation costs would be, after we have done all that we hand it off to senior management.
Now, what they do with that information is entirely up to them.
They can choose to act on our recommendations.
They can also choose not to.
So for any risk in our enterprise, we would choose a different risk strategy.
That could be mitigation, We’ll put something in place that’s going to minimize that risk to an acceptable level.
As always, everything here is done on a cost-benefit analysis, because this is something that senior management understands very well.
If we put in this countermeasure, that’s going to cost us $250,000, but it’s going to save us $1M every year, well, then that is pretty simple math.
And when I say we want to get the risk down to an acceptable level, that is where our risk appetite comes in.
With that mitigation, it is often not just one countermeasure.
There might be multiple things we need to do to get that risk down to an acceptable level.
After you put in a countermeasure, whatever risk is left over is the residual risk.
If that risk is still above our risk appetite, well, then we would do something else to either mitigate, transfer, accept, or avoid that risk, which then brings us to risk transference.
That is us transferring the risk to someone else.
Most often that would be through buying insurance, but it could also be by sharing the risk.
The insurance makes sense.
We pay them a certain amount of money and if something bad happens, they give us money back.
This sharing of risk could be us doing a project with someone else.
If we want to launch a new product and that comes with an inherent risk, then if we go in and we’re 50/50 partners with someone else, well then we only have half the risk.
Obviously, we also only have half the reward.
In most cases, like I said, risk transference is buying insurance.
As the next option, we have risk acceptance, we accept the risk is there.
We know it.
We have done a due diligence.
We have done our due care.
We know that this risk is going to cost us $250,000 a year, but they countermeasure to mitigate the risk.
It’s going to cost us one million or in this case, we’ll probably just live with it.
That would be risk acceptance or we could choose risk avoidance.
Here again, we have done our due diligence, we have done our due care, we have determined that it is not financially viable to mitigate the risk, to transfer it or to accept it.
Whatever it is we are doing, we’re just going to stop.
If we determine that our employees use laptops that costs us $1M in losses every year from lost laptops and lost data, but we don’t really need laptops.
Everybody is at their desk. Well, then we can stop issuing laptops.
In most companies that would probably not work. But you get the idea right.
We stop whatever is causing the risk.
And then finally, we have risk rejection.
This is never OK, ever.
This is us knowing that the risk is there, but we’re kind of just ignoring it. Never OK.
Our risk response should always be based on analysis and it should be one of the four other categories.
And now that is abundantly clear, let’s talk a little more about the assessment.
Normally when we start a risk assessment, we would go in and assess the current countermeasures, what is in place now, because very, very rarely do we start from a blank slate, we’ll go in and we identify how good are the current countermeasures.
Are they good enough or do we need to improve them?
Maybe we need to implement entirely new countermeasures.
So let’s look at the actual risk analysis.
We briefly touched on these before, qualitative risk analysis is us sitting down and guessing how likely is this to happen and how bad is it when it does?
How exposed are we?
It is vague. It is guessing.
It is pretty quick to do.
And what we use this for is mostly to identify the areas where we want to do quantitative risk analysis.
Remember, qualitative risk analysis is the quality of something, that’s pretty good, that’s nice.
It’s not a specific number.
It’s more your opinion, which then takes us to the quantitative risk analysis that is fact-based.
Before we looked at some examples, let’s look at some other key terms that you need to know both for the certification and for your job.
Remember, the Risk = Threat x Vulnerability, and threat is a potential harmful incident.
It is really anything that can cause damage to our organization, to our data, whereas the vulnerability is a weakness in our systems that can allow the threat to come to fruition.
A tsunami can be a threat.
But if our data center is in the mountains, well, then there’s no vulnerability and there is no risk for you.
It might be snow, or volcanic activity, or a pandemic, or whatever can harm your business in your area.
Sometimes for the calculation we had earlier with risk, we might also add impact.
In that case, it would be Risk = Threat x Vulnerability x Impact.
And the reason we would add that vector to our equation is there are also other factors we need to consider.
Let’s say we have two data center right next to each other.
They are completely identical in hardware and software.
Everything is the same.
The threats and the vulnerabilities would also be the same then.
But one data center is manned and the other is unmanned.
Well, then the impact in this case to the data center would be much, much higher.
So adding that impact gives us a clearer picture and the fuller risk analysis.
Let’s finish these definitions and then in the next lecture we will look at some examples.
Total risk is the potential risk x vulnerability x the asset value.
And then finally, residual risk.
That is the total risk minus our countermeasures.
Now, just because we have mitigated something, that doesn’t mean we’re done.
If the residual risk is still too high, we keep going.
And with that, we’re done with this lecture.
I will see you in the next one for the examples