Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli

Risk Analysis and Management

Risk Management – Principles and GuidelinesISO 31000:2009

Unique Terms and Definitions

Annualized Loss Expectancy - The Cost of loss due to a Risk over a yearThreat – A Potentially negative occurenceVulnerability – A Weakness in a SystemRisk – A Matched Threat and VulnerabilitySafeguard – A Measure taken to Reduce RiskTotal Cost of Ownership – The Cost of a SafequardReturn of Investment – Money Saved by deploying a Safeguard

What is Risk?

Risk = Threat x Vulnerability

Example: Earthquake Disaster Risk Index

San Francisco – Near the Pasicific OceanBoston - Northeast

San Francisco Threat, 4San Francisco vulnerability, 2San Francisco risk = 4 x 2 = 8

Boston Threat, 2Boston Vulnerability, 4Boston Risk = 2 x 4= 8

Rachel Davidson Earthquake Disaster Risk Indexhttp://www.sciencedaily.com/releases/1997/08/970821233648.htm

IMPACT

Severity of the Damage

Risk = Threat x Vulnerability x Impact

Empty Building Risk = 2 (threat) x 4 (vulnerability) x 2 (impact) = 16Full Building Risk = 2 (threat) x 4 (vulnerability) x 5 = 40

Risk Analysis Matrix

Calculating Annualized Loss Expectancy

Calculating Annualized Loss Expectancy

ALE = Annual Cost of a loss due to risk

Asset Value= Value of the asset you are trying to protect

Stolen Computer Example:Hardware Cost = 2500$Data Cost = 22.500$

Asset Value = 25000$

Asset Value Market Approach Income Approach Cost Approach

Calculating Annualized Loss Expectancy

Exposure FactorThe Percentage of value an asset lost due to an incident.Exposure Factor of Stolen Computer = %100

Singel Loss Expectancy (SLE)The Cost of a single loss.

SLE = Asset Value (25000$) x Exposure Factor(%100) = 25000$

Annual Rate of Occurrence (ARO)Number of losses you suffer per year.ARO = 11

Annualized Loss ExpectancyALE = SLE (25000) x ARO (11) = 275000$

Total Cost of Ownership

Total Cost of Ownership (TCO) is the total cost of a mitigating safequard.

Total Cost of Ownership must contain;

• One – Time capital expense• Annual Cost• Staff Hours• Ventor Maintenance fees• Software Subscriptions etc.

Total Cost of Ownership

1000 Laptops

Software = $100/laptop = 100000$Annual Support Fee = %10 Annually 10000$

4000 Staff Hours$50 / hour $20 / hour$70/ hour x 4000 = 280000$

3 Years Technology Refresh Cycle

Software Cost = $1000003 Years of Vendor Support = $10000 x 3 = $30000Hourly Staff Cost = $280000TCO for 3 Years = $410000TCO per Year = $410000 / 3 = 136,667/year

Return of Investment

The Amount of Money saved by implementing a safeguard.

TCO < ALE – Postive ROI, Good ChoiceTCO > ALE – Negative ROI, Poor Choice

TCO = $136,667ALE = $275,000

After Encryption Implement Asset Value = $25000 - $22500 = 25000

Exposure Factor = %10

$275000 * %10 = $27,5000

By Making Investment

You Save;Old ALE ($275,000) – New ALE ($27,500) = $247,500

Your ROI = $247,500 - $136,667 = $110,833

Risk Choice

Accept the Risk

Mitigate the Risk

Transfer the Risk

Risk Avoidance

Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli