Let's discuss quantitative risk analysis because it is a key player in identification of how damaging realization of a threat may be. At this point we understand what a risk is and why it's important to know your risk. In this module, we will quantify that understanding. There are six steps to this numbers game. The first step is to inventory all of your tangible and intangible assets. Then you assign a value to each asset. The value of an easily replaceable asset, for example, a file cabinet may be much lower, but the data stored in that file cabinet, it may cost a lot more to replace. Next, we go into the calculation of the exposure factor. For this, we need to research all the possible threats to each of your assets. This will help you identify how exposed an asset may be. The exposure factor or EF can be subjective and it's notated as a percentage of loss. That loss is to a specific asset if a specific threat is realized. For example, you're publicly exposed server was taken down by a denial-of-service attack. What percentage of operations did you lose? That percentage is the exposure factor. Exposure factor is going to look at each individual asset for a single realized risk and it generally will be low for a replaceable asset. In the third step, we calculate your single loss expectancy for an asset. Now this could be per risk to that asset. Single loss expectancy or SLE, is calculated by multiplying your asset value to that asset's exposure factor. SLE will help you better prioritize your assets. This will be used in later parts of the exercise. In the layperson's terms, we're identifying how much money will we lose each time a specific threat is realized against a specific asset? In the fourth step, we identify how often a specific threat against a specific asset comes to life. For example, if your data center is in Florida, how often will a hurricane be a possibility? Will this change if you moved your data center to New York? Will this also change if you move your data center to Utah? Would moving the data center to Kansas City result in lower risk from hurricane and increase another risk? For example, if a hurricane impacts your data center five times a year, your ARO, analyzed risk occurrence, is five. Different sources or subject matter experts can help you come up with this value. For example, the US Geological Survey publishes probabilities of natural disasters from different locations. Check out their website, it's pretty cool. Here in fifth step, we calculate the annualized loss expectancy or ALE. This will help us understand on an annual basis, how much of a loss can we expect for a specific asset. This value is the multiplication of a single loss expectancy or SLE, with an annualized rate of occurrence, ARO. The ALE, annualized loss expectancy, helps us with the prioritization of security and contingency efforts. Because now we know how much we'll lose an asset, analyze basis or how often would the risk occur per year. In the final stage of the quantitative risk assessment, we'll conduct the cost-benefit analysis for any countermeasures we put into place. For example, would making an e-commerce website only available to internal users reduce the revenue so much that it's no longer beneficial to be in an e-commerce business? You begin this step by calculating how much each safeguard or countermeasure will cost. This could be, how much will an antivirus solution cost? How much will it cost for us to have an in-house security team? Then you subtract this cost from the annualized loss expectancy. If the result of the calculation is negative, then it is not financially reasonable for us to implement a countermeasure. On the other hand, a positive result is the calculation of how much organization can possibly save by implementing a countermeasure to prevent a specific threat from affecting a specific asset. Let's put it all together and go through an example of all of this data we've talked about and all these calculations we've talked about. Imagine a web server has an asset value of $200,000. If we were to have a specific threat realized against this web server, let's say denial-of-service attack or a malicious admin, we'll lose about 10 percent of its value. That loss of value to a specific threat is the exposure factor. If this occurs once at a time, one threat being realized against our web server we'll lose about $20,000. That is $200,000, and the asset value multiplied by 10 percent of exposure factor. Now let's imagine that this threat is realized once a year. Maybe an attack on your website on your busiest day of the business. The ARO or analyze rate of occurrence is one. The annualized loss expectancy is the product of your SLE, single loss expectancy, and ARO, you're analyzed rate of occurrence which comes to $20,000 per year. Now this is the value you expect to lose once a year. We understand that we can put in some countermeasures such as employee security awareness or strong passwords, which can help us mitigate some of these threats. We calculate how much it will cost us to implement a countermeasure for this specific threat against a specific asset. Our pre-countermeasure, annualized loss expectancy or ALE is $20,000. If we put in counter measures in place, that will go down to $10,000. Instead of losing $20,000 per year, we'll lose about 10,000. Imagine the cost of that countermeasure was $5,000. We subtract them, we come back with $5,000 in the benefit, it's a positive number. The benefit of this countermeasure will be about $5,000 per year in savings, if the threat against this asset comes to fruition. In the end, it really is beneficial in this case for us to understand the risk and put countermeasures in place. If the value was negative, we still had a benefit of understanding the risks that exist for our organization.
