Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
31 Cards in this Set
- Front
- Back
|
Risk = |
Risk = Threat x Vulnerability Risk = Threat x Vulnerability x Impact |
|
|
Threat |
Potentially harmful occurrence like an earthquake, a power outage, or a network-based worm such as the Conficker |
|
|
Vulnerability |
Weakness a weakness that allows a threat to cause harm of vulnerabilities buildings that are not built to withstand earthquakes a data center without proper backup power or a Microsoft Windows XP system that has not been patched in a few years |
|
|
Impact |
Impact is the severity of the damage, sometimes expressed in dollars |
|
|
ALE |
Annualized Loss Expectancy (ALE) |
|
|
Annualized Loss Expectancy (ALE) |
Calculation allows you to determine the annual cost of a loss due to a risk. |
|
|
AV |
Asset Value |
|
|
PII |
Personally Identifiable Information |
|
|
Asset Value calculation approach |
Market Approach: Potential profile of the product in the market, (how much we might get by selling it) Income Approach: Earning capacity of the asset will generate over its remaining useful life Cost Approach: Replacement cost |
|
|
EF |
Exposure Factor percentage of value an asset lost due to an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: the laptop and all the data are gone. |
|
|
Exposure Factor (EF) |
percentage of value an asset lost due to an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: the laptop and all the data are g |
|
|
ARO |
Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average. Your ARO is 11. |
|
|
Annual Rate of Occurrence (ARO) |
Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average. Your ARO is 11. |
|
|
The Annualized Loss Expectancy (ALE) |
The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO). In our case, it is $25,000 (SLE) times 11 (ARO), or $275,000. |
|
|
Single Loss Expectancy (SLE) |
Asset Value (AV) x Exposure Factor (EF) (Cost of One loss) |
|
|
ARO |
Annual Rate of Occurrence (ARO) Number of Losses per year |
|
|
ALE |
Annualized Loss Expectancy (ALE) |
|
|
Annualized Loss Expectancy (ALE) |
ALE=SLE x ARO Annualized loss Expectancy (ALE) = Single loss Expectancy (SLE) x Annual Rate of Occurrence (ARO) Cost of Losses per Year |
|
|
TOC |
Total cost of ownership |
|
|
9 Steps of Risk Management Process by NIST |
1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation |
|
|
Asset Value (AV) Calculation |
AV (Asset Value) + PII (Personally Identifiable Information) The true average Asset Value of a laptop with PII for this example is $25,000 ($2500 for the hardware, and $22,500 for the exposed PII). |
|
|
Exposure Factor (EF) |
The Exposure Factor (EF) is the percentage of value an asset lost due to an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: the laptop and all the data are gone |
|
|
The Single Loss Expectancy (SLE) |
Single Loss Expectancy The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF). In our case, SLE is $25,000 (Asset Value) times 100% (Exposure Factor), or $25,000. |
|
|
The Annual Rate of Occurrence (ARO) |
The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average. Your ARO is 11. |
|
|
Annualized Loss Expectancy |
The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO). In our case, it is $25,000 (SLE) times 11 (ARO), or $275,000. |
|
|
SLE |
AV x EF Cost of one loss |
|
|
Annualized Loss Expectancy (ALE) |
SLE x ARO |
|
|
TCO Calculation |
Using our laptop encryption example, the upfront cost of laptop encryption software is $100/laptop, or $100,000 for 1000 laptops. The vendor charges a 10% annual support fee, or $10,000/year. You estimate that it will take 4 staff hours per laptop to install the software, or 4000 staff hours. The staff that will perform this work makes $50/hour plus benefits. Including benefits, the staff cost per hour is $70, times 4000 hours, that is $280,000. |
|
|
TCO Calculation |
Ownership over 3 years: • Software cost: $100,000 • Three year’s vendor support: $10,000 × 3 = $30,000 • Hourly staff cost: $280,000 • Total Cost of Ownership over 3 years: $410,000 • Total Cost of Ownership per year: $410,000/3 = $136,667/year Your Annual Total Cost of Ownership for the laptop encryption project is $136,667 per year. |
|
|
Return on Investment (ROI) |
The Return on Investment (ROI) is the amount of money saved by implementing a safeguard. If your annual Total Cost of Ownership (TCO) is less than your Annualized Loss Expectancy (ALE), you have a positive ROI (and have made a good choice). If the TCO is higher than your ALE, you have made a poor choice. |
|
|
Annualized Loss Expectancy of Unencrypted Laptops Calculation |
Formula ValueAsset Value(AV) |AV | $25,000Exposure Factor(EF) | EF | 100%Single LossExpectancy (SLE) | AV x EF | $25,000Annual Rate ofOccurrence (ARO) | ARO | 11Annualized LossExpectancy (ALE) | SLE x ARO |$275,000 GkyNVqwRQ |
