INVITATION TO CYBERSECURITY 108 ly and rate it a 2 on the likelihood scale. They also believe that DDoS attacks could take their site down for less than one week over the course of a year, and could disenfranchise customers and cost them some sales. They rate the severity of a DDoS attack as 3 (medium). Therefore, due to their qualitative risk assessment, they score the risk severity of DDoS attacks against their ecommerce website as: DDoS Risk: 2 (likelihood) x 3 (impact) = 6 (risk severity) Overall, this falls into the low risk category. As another example, they also identified during a vulnerability assessment that their web server is unpatched and threat actors are actively exploiting a known vulnerability it has to gain root access to servers. Therefore, they have identified a risk of their web server being hijacked. If this were to happen, it could cause a data breach and also take their ecommerce site down for weeks and cost them numerous sales. For this risk, they rate the likelihood a 5 and the impact a 5 for an overall risk assessment score of 25: Web Server Hijacking Risk: 5 (likelihood) x 5 (impact) = 25 (risk severity) This risk scores in the high risk category. Based on this type of analysis, applied across many different risks, organizations can intelligently prioritize risks. A qualitative risk analysis sometimes can lead to counterintuitive conclusions. Taking a hypothetical non-cyberspace example, which city is at higher risk for low magnitude earthquakes, Boston or San Francisco? Assuming that earthquakes are three times more likely in San Francisco, but that the historic buildings in Boston are four times more likely to be damaged during a low magnitude earthquake, leads to the following risk severity scores: San Francisco Earthquake Risk: 3 (likelihood) x 1 (impact) = 3 (risk severity) Boston Earthquake Risk: 1 (likelihood) x 4 (impact) = 4 (risk severity) Based on these assumptions, Boston is at higher risk for low magnitude earthquakes than San Francisco! This illustrates the fallacy of equating risks with threats. Threat does not equal risk. The risk severity calculation corrects this by incorporating impact so that risks can be properly assessed. 5.3.4.2 Quantitative Risk Assessment Quantitative risk analysis is another way to assess risk severity. It is a fine-grained assessment that uses dollar amounts to quantify risks. With a quantitative risk analysis, a precise cost benefit analysis can be performed. There are several acronyms and equations involved in the quantitative risk analysis calculations, but only basic math is needed.
RkJQdWJsaXNoZXIy MTM4ODY=