3.2.1 Risk Calculation Overview Video Script

docx

School

San Antonio College *

*We aren’t endorsed by this school

Course

2301

Subject

Finance

Date

Feb 20, 2024

Type

docx

Pages

3

Uploaded by BaronRiver11822

Report
3.2.1 Risk Calculation Overview 6:10/6:474. Annual Loss Expectancy 1x Copy Video Transcript Print Video Transcript Interactive Script close interactive script Click one of the buttons to take you to that part of the video. Risk Calculation 0:00-0:37 In this video, we'll discuss calculating the risk associated with an asset. There are formulas we can use that approximate total and residual risks so we can determine financial losses and potential exposure. The two most common risk calculations are for single loss expectancy and annual loss expectancy. There are several factors that are part of these calculations, including qualitative and quantitative risk analysis. Further, we need to factor in the probability of an event as well as the magnitude of the potential impact. First, there are a few terms we must define. Defining Terms 0:38-2:06 To define potential risk and potential loss, we have to know the value of our assets. The assessed value of an asset is determined using qualitative and quantitative assessments. Qualitative assessment is used to define perceived value based on an asset's use, reliability, interest, or other human factors – the intangible. Quantitative assessment is rooted in facts and numbers. If a machine became unusable, the quantitative loss is the dollar value of the machine. SLE, or single loss expectancy, is the calculation of the monetary loss of an asset or assets due to a threat. ALE, or Annual loss expectancy, is the monetary loss a threat might incur annually. We'll explain both in more detail in just a moment. Probability measures how likely an event is to occur. The risk of the event is measured two ways: ARO, or annualized rate of occurrence, is used when the probability uses a quantitative analysis. If qualitative analysis is used, the probability is determined by a team of subject matter experts. Magnitude measures the impact of a threat event. Using quantitative analysis, the magnitude is defined and considered using both the SLE and ALE values for each event. If you're using qualitative analysis, you'll need a team of subject matter experts once again, and they'll draw on their knowledge and experience to determine the impact of different threats.
Single Loss Expectancy 2:07-4:11 Single loss expectancy, or SLE, defines the monetary impact of each occurrence. While the formula to determine the SLE is simple, you have to accurately determine each of its factors to get a valid result. One component of the SLE is the asset value or AV. The AV is the real monetary value of the asset. The asset itself can be physical hardware or intellectual property. Either way, the monetary value must be known. The second component in the SLE equation is the exposure factor, or EF, which defines the potential loss as a percentage. This loss can also reflect a loss of functionality. The single loss expectancy calculation is single loss expectancy equals Asset Value multiplied by the Exposure Factor. While this is a simple equation, determining the AV and EF can be a daunting task. If the asset is physical, its value is easy to determine – how much is the asset worth? If the asset is intellectual or intangible, the value must be determined by an asset manager. The EF of a physical asset can be determined by its loss or potential loss in productivity. The most important factor in determining the SLE is the threat. It can be an inside threat, such as a disgruntled employee, a power failure, a flood, or a fire. Or it could be external, like a natural disaster, a pandemic, or a hacker. Other factors that influence the risk may include redundancy, ease of replacement, potential for loss, and the likelihood of loss. Suppose a manufacturer has four presses to stamp out parts. Each of these presses are valued at $150,000. In this scenario, the AV is $600,000 (four presses that are each valued at $150,000). Suppose one of the presses breaks down and isn't available. The EF in this case is 25 percent, or one fourth of the total units available. In this scenario, the single loss expectancy is $150,000. Annual Loss Expectancy 4:12-6:22 The annual loss expectancy, or ALE, is an extension of the SLE that uses additional factors. It uses the single loss expectancy to determine a dollar value for the loss of an asset, then multiplies that value by the annualized rate of occurrence to arrive at a financial cost. The ARO defines how often a threat may occur annually. The annual loss expectancy is the result of multiplying the single loss expectancy by a factor of potential threat activity called the annualized rate of occurrence. This is another, simple-looking formula. Once the SLE is determined, figuring out the ARO mixes are the challenge to getting a percentage rate that accurately reflects risk factors. It is important to note that determining factors is a subjective decision made be subject matter experts. The annualized rate of occurrence is an estimate. SMEs use their knowledge and experience to decide how often a threat may occur in a given year. This is not an exact science; it is merely a guess. Usually, a single person does not make this decision. Instead a collection of SMEs and company management discuss these factors and arrive at a decision that places a percentage on the likelihood of a threat. That percentage is the ARO or annualized rate of occurrence. Using the scenario where the SLE was valued at $150,000, we need to look at the annualized rate of occurrence. The SME committee, along with the organization management, determined the estimated threat exposure annually was 50%. Using the information we have and the calculation above, we arrive at an annual loss expectancy of $75,000.
While this number is estimated, it is based on industry standards, historical data, experience, and expert opinion. The organization's management can use this value to determine an appropriate course of action. Depending, again, on several factors, they can decide whether to implement controls to mitigate the potential loss or accept it as an acceptable risk. In other words, if the solution is more expensive than the asset value, it may not make sense to protect it. Summary 6:23-6:38 That's it for this video. In this lesson, we discussed how the risk of threat is calculated. We talked about single loss expectancy and annualized loss. These values help you protect assets from loss due to threat actors. Probability and magnitude help determine the likelihood of a threat event and the potential for loss. Copyright © 2024 TestOut Corp. Copyright © 2024 The Computing Technology Industry Association, Inc. All rights reserved.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help