Security Qualitative Risk

Assessment
Dr. Nada Hany Sherief

1
Agenda
• Quantitative Risk Assessment
• Qualitative Risk Assessment
• Qualitative Risk Assessment Procedure
• Case Study: Qualitative Risk Assessment for an E-commerce
Business

2
Quantitative vs. Qualitative Risk
Assessment

3
Qualitative Risk Assessment

• Definition: A subjective method that relies on expert

judgment and opinion to assess risks.
• Characteristics:
• Faster and less expensive to conduct.
• More flexible and adaptable to changing circumstances.
• Can be challenging to quantify risks accurately.
• May be influenced by personal biases.
4
Quantitative Risk Assessment

• Definition: A numerical method that assigns specific

values to risks based on their likelihood and impact.
• Characteristics:
• Provides more precise and objective results.
• Can be more time-consuming and expensive to conduct.
• Requires accurate data and assumptions.
• May be difficult to assign numerical values to intangible risks.
5
Quantitative Risk
Assessment Procedure
6
Step #1: Identify Asset Value
• The first step is to inventory all your
tangible and intangible assets.
• Then you assign a value to each asset.
• The value of an easily replaceable
asset, for example, a file cabinet may
be much lower, but the data stored in
that file cabinet, it may cost a lot
more to replace.

7
Step# 2: Calculate the Exposure Factor
• The exposure factor or EF can be
subjective, and it's notated as a
percentage of loss.
• For example, you’re publicly exposed
server was taken down by a denial-of-
service attack. What percentage of
operations did you lose?
• That percentage is the exposure
factor.
• Exposure factor is going to look at
each individual asset for a single
realized risk and it generally will be
8
low for a replaceable asset.
Step# 3: Calculate the Single Loss
Expectancy
• Single loss expectancy or SLE,
is calculated by multiplying
your asset value to that
asset's exposure factor.
• SLE will help you better
prioritize your assets.
• We're identifying how much
money will we lose each
time a specific threat is
realized against a specific 9
asset?
Step# 4: Identify the Annualized Rate of
Occurrence
• We identify how often a specific
threat against a specific asset comes
to life.
• For example, if your datacenter is in
Florida, how often will a hurricane be
a possibility?
• Would moving the data center to
Kansas City result in lower risk from
hurricane and increase another risk?
• For example, if a hurricane impacts
your data center five times a year,
your ARO, analyzed risk occurrence, is
10
five.
Step# 5: Calculate the Annualized
Loss Expectancy
• This will help us understand on an
annual basis, how much of a loss can
we expect for a specific asset.
• This value is the multiplication of a
single loss expectancy or SLE, with an
annualized rate of occurrence, ARO.
• The ALE, annualized loss expectancy,
helps us with the prioritization of
security and contingency efforts.
• Because now we know how much
we'll lose an asset, analyze basis or
how often would the risk occur per
11
year.
Step# 6: Cost benefit Analysis of
Countermeasures
• You begin this step by calculating how
much each safeguard or countermeasure
will cost.
• This could be, how much will an antivirus
solution cost? How much will it cost for us
to have an in-house security team?
• Then you subtract this cost from the
annualized loss expectancy.
• If the result of the calculation is negative,
then it is not financially reasonable for us
to implement a countermeasure.
• On the other hand, a positive result is the
calculation of how much organization can
possibly save by implementing a 12
countermeasure to prevent a specific
threat from affecting a specific asset.
Example 1
• Step #1: Identify Asset Value ( what is the asset worth)
• Imagine a web server has an asset value of $200,000.
• Step# 2: Calculate the Exposure Factor ( how much lost of an asset)
• If we were to have a specific threat realized against this web server, let's say denial-
of-service attack or a malicious admin, we'll lose about 10 percent of its value.
• That loss of value to a specific threat is the exposure factor.
• Step# 3: Calculate the Single Loss Expectancy ( How much money we lose)
• If this occurs once at a time, one threat being realized against our web server we’ll
lose about $20,000.
• That is $200,000,and the asset value multiplied by 10 percent of exposure factor.
13
Example 1 Cont’d
• Step# 4: Identify the Annualized Rate of Occurrence ( how many times it
happened)
• Now let's imagine that this threat is realized once a year.
• Maybe an attack on your website on your busiest day of the business.
• The ARO or analyze rate of occurrence is one.
• Step# 5: Calculate the Annualized Loss Expectancy
• The annualized loss expectancy is the product of your SLE, single loss expectancy,
and ARO, you're analyzed rate of occurrence which comes to $20,000 per year.
• Now this is the value you expect to lose once a year.

14
Example 1 Cont’d
• Step# 6: Cost benefit Analysis of Countermeasures
• We calculate how much it will cost us to implement a countermeasure for this
specific threat against a specific asset.
• Our pre-countermeasure, annualized loss expectancy or ALE is $20,000.
• If we put in countermeasures in place, that will go down to $10,000. Instead of losing
$20,000 per year, we'll lose about 10,000.
• Imagine the cost of that countermeasure was $5,000.
• We subtract them, we come back with $5,000 in the benefit, it's a positive number.
• The benefit of this countermeasure will be about $5,000 per year in savings, if the
threat against this asset comes to fruition.
• If the value was negative, we still had a benefit of understanding the risks that exist
15
for our organization.
Qualitative Risk
Assessment Procedure
16
Qualitative Risk Assessment
• A method used to identify, analyze, and prioritize risks
based on subjective judgment and expert opinion.
• It's a valuable tool for understanding and managing risks,
especially when quantitative data is limited or
unavailable.

17
Step 1: Identify Risks
• Brainstorming: Encourage team members to brainstorm
potential risks, such as cyberattacks, natural disasters,
human error, and operational failures.
• Risk workshops: Conduct workshops to facilitate
discussion and identification of risks.
• Risk checklists: Use pre-defined checklists to
systematically identify potential risks.

18
Types of Threats (1)

• Natural disasters. Floods, hurricanes, earthquakes, fire and other natural disasters
can destroy much more than a hacker. You can lose not only data, but the servers
and appliances as well. When deciding where to house your servers, think about
the chances of a natural disaster. For instance, don’t put your server room on the
first floor if your area has a high risk of floods.
• System failure. The likelihood of system failure depends on the quality of your
computer For relatively new, high-quality equipment, the chance of system failure is
low. But if the equipment is old or from a “no-name” vendor, the chance of failure is
much higher. Therefore, it’s wise to buy high-quality equipment, or at least
equipment with good support.

19
Types of Threats (2)

• Accidental human interference. This threat is always high, no matter what

business you are in. Anyone can make mistakes such as accidentally deleting
important files, clicking on malware links, or accidentally physical damaging a
piece of equipment. Therefore, you should regularly back up your data,
including system settings, access control lists (ACLs) and other configuration
information, and carefully track all changes to critical systems.
• Malicious humans. There are three types of malicious behavior:
• Interference is when somebody causes damage to your business by deleting
data, engineering a distributed denial of service (DDOS) against your website,
physically stealing a computer or server, and so on.
• Interception is classic hacking, where they steal your data.
• Impersonation is misuse of someone else’s credentials, which are often 20
acquired through social engineering attacks or brute-force attacks or
purchased on the dark web.
Step 2: Assess Risk Likelihood

• Likelihood Scale: Assign a qualitative rating to the

likelihood of each risk occurring, such as:
• High: Very likely to occur
• Medium: Likely to occur
• Low: Unlikely to occur
• Expert Judgment: Rely on the experience and
knowledge of experts to assess the likelihood of risks.

21
Step 3: Assess Risk Impact
• Impact Scale: Assign a qualitative rating to the potential
impact of each risk, such as:
• High: Significant impact on business operations, financial
performance, or reputation
• Medium: Moderate impact
• Low: Minimal impact

22
Step 4: Prioritize Risks

• Risk Matrix: Combine the likelihood and impact ratings

to create a risk matrix.
• Risk Ranking: Prioritize risks based on their position in
the risk matrix. Higher-priority risks should be addressed
first.

23
Risk Matrix

24
Step 5: Develop Risk Mitigation Strategies
• Risk Mitigation Techniques:
• Risk Avoidance: Eliminate the risk entirely by avoiding the activity or
process that could lead to the risk.
• Risk Reduction: Implement controls to reduce the likelihood or
impact of the risk.
• Risk Transfer: Transfer the risk to a third party, such as through
insurance or outsourcing.
• Risk Acceptance: Accept the risk and monitor it closely.

25
Analyze Controls
• Controls can be implemented through:
• Technical means: such as computer hardware or software, encryption,
intrusion detection mechanisms, and identification and authentication
subsystems.
• Nontechnical controls include security policies, administrative actions, and
physical and environmental mechanisms.
• Both technical and nontechnical controls can further be classified as
preventive or detective controls.
• As the name implies, preventive controls attempt to anticipate and stop
attacks. Examples of preventive technical controls are encryption and
authentication devices.
26
• Detective controls are used to discover attacks or events through such
means as audit trails and intrusion detection systems.
Types of Security Controls

27
Step 6: Monitor and Review

• Regular Review: Regularly review and update the risk

assessment to account for changes in the organization's
environment and emerging threats.
• Risk Monitoring: Monitor the effectiveness of risk
mitigation strategies and identify new risks that may
arise.

28
Case Study: Qualitative
Risk Assessment for an
E-commerce Business
29
Scenario:
• A small e-commerce business is conducting a
qualitative risk assessment to identify and prioritize
potential threats to their online operations.

30
Step 1: Identify Risks

31
Step 1: Identify Risks
Assets include:
• Servers
• Website
• Client contact information
• Sensitive partner documents
• Trade secrets
• Customer credit card data
• You need to work with business users and management to create
a list of all valuable assets. 32
Step 1: Identify Risks
The identified threats include:
• System Failure due to Overheating: The risk of server failure due
to outdated air conditioning systems.
• Malicious Human Interference (DDoS Attack): The risk of a denial-
of-service attack that could disrupt website availability.
• Natural Disasters (Flooding): The risk of flooding damaging the
server room.
• Accidental Human Interference (File Deletion): The risk of
accidental deletion of critical files.
33
Step 1: Identify Risks
• Risk 1: System Failure due to Overheating
• Vulnerabilities:
• Aging or malfunctioning air conditioning units
• Poor server room ventilation
• Lack of temperature monitoring and control systems
• Risk 2: Malicious Human Interference (DDoS Attack)
• Vulnerabilities:
• Weak network security configuration
• Lack of intrusion detection and prevention systems

34
Step 1: Identify Risks
• Risk 3: Accidental Human Interference (File Deletion)
• Vulnerabilities:
• Insufficient user access controls
• Lack of data backup and recovery procedures
• Human error or negligence
• Risk 4: Natural Disasters (Flooding)
• Vulnerabilities:
• Server room located in a flood-prone area
• Inadequate flood protection measures (e.g., flood barriers, water sensors)
35
Step 2 and 3: Assess Risk Likelihood
and Impact

• System Failure due to Overheating: High likelihood and high

impact.
• Malicious Human Interference (DDoS Attack): Medium likelihood
and high impact.
• Accidental Human Interference (File Deletion): Medium likelihood
and low impact.
• Natural Disasters (Flooding): Low likelihood and high impact.
36
Step 4: Prioritize Risks
Impact
Low Medium High

Natural Disasters
Low
(Flooding)

Likelihood Accidental Malicious Human

Medium Human Interference
Interference (File (DDoS Attack)
Deletion)
System Failure
High
due to
Overheating 37
Step 5: Develop Risk Mitigation
Strategies

38
Questions?
Thank you ☺

39