Quantitative and Qualitative Risk Assessment – CompTIA Security+ SY0-401: 2.1


Risk factors can take many forms. In this video, you’ll learn how to asses both quantitative and qualitative risk factors in your environment.

<< Previous Video: Calculating RiskNext: Vulnerabilities, Threat Vectors, and Probability >>


There are many different ways to assess the risks that might be in your environment and the resources that are available. One common thing you can do is a Business Impact Analysis. You need to understand what resources you have in your environment, what services that you’re making available to other people, and the things that are important your organization. And then you need to think about the threats that are out there that might have an impact on those particular resources.

You need to consider how likely some of these attacks might be. You need to understand that, would this threat be something that would be very easy to occur? Is this something we are having spam come in every day that might be phishing us? Or, are these threats very uncommon threats the might be associated with operating system vulnerabilities?

Then we need to think about if the machine was attacked and brought down. And there was a problem, and that resource was no longer available, what is the impact of the organization? Is this something that is going to create a major issue for us? If so, perhaps, we need to mitigate that with some other security devices.

Maybe if we lose a particular resource, maybe a mail server. Perhaps in your environment, losing a mail server for day isn’t an enormous problem. Maybe in your environment, losing a mail server is a big deal. So you need to think about what the impact that will be, should that particular resource no longer be available.

It’s sometimes very useful when you’re trying to calculate risk, to put it in dollar signs– to get an absolute number from it. So we want to come up with ways to quantify what type of risk we may be taking with these. We want a dollar value that we can associate with this, and that way we’re able to make some business decisions based on those risks that we have.

One of the ways to do this, is to determine what the single loss expectancy might be if a particular resource was made unavailable. If that web server goes down, if we lose our database server, if our mail server is not available and that resource is not available for people, how much money can we expect to lose from that?

And then on top of that, we need to think about what should we expect, or how often should we expect that particular resource not to be available for an entire year. And what we’ll do is find the annual loss expectancy, which is how much the single loss was, multiplied by an annual rate of occurrence.

How many times during the year do expect this to happen? We’ll simply multiply the number of occurrences by the amount of money we would expect to lose, and that’s our dollar figure for the year. That’s our annual budget that we can expect to lose. And based on that, we may decide to purchase more security devices, we may decide to change the way we’re providing those services, perhaps create some redundancy, or think about other ways that we can use to help mitigate that issue.

And you also have to think about though, the historical reference here. You have to think about how often did this occur in the past. And this is very easy for things like understanding how many times we’ve lost the mail server over the last year, but there’s things you just can’t plan very well for.

If there is things like, well in this particular case, a Buffalo stampede. You’re not going to go down the road of calculating an annual loss expectancy of a Buffalo stampede if you happen to be in Florida. So you run into these situations where sometimes you can’t exactly put a dollar figure on these things because there’s no reference. There’s no way to determine if this is something that might have occurred in the past or that might even occur in the future.

To help with some of those situations, we do more of a qualitative risk assessment where it’s not really dollar figures, it’s really people’s opinions of how badly a particular problem might be for us. So we need to think about and interview people to get their perspective of the significance. If we lost the mail server, how would that impact you and your part of the organization?

We obviously don’t have dollar figures we can associate with this, but some people will do a traffic light grid or some other method to be able to view this. So here’s a good example of looking at the risk factor, the impact of the organization, the annualized rate of occurrence, the cost of having controls in place, and what you might think of an overall risk. And in this case, it’s a red, a yellow, and a green that’s here, much like a traffic light.

So you can understand having an untrained staff might have very little impact. It might have maybe a yellow, kind of a mid-range annualized rate of occurrence. And the cost of controls for that, not very expensive, your overall risk probably in the yellow range. So you could take multiple risk factors and at least put them on a high level view, so you can get a better understanding of what the risk might be.