# Calculating Risk – CompTIA Security+ SY0-401: 2.1

August 6, 2014

The calculation of risk can help you make educated business decisions related to your security infrastructure. In this video, you’ll learn how to associate a dollar value to the risks in your organization.

<< Previous Video: Reducing Risk with Security PoliciesNext: Quantitative and Qualitative Risk Assessment >>

Seems every week there’s a news story about some type of security breach. And that news story says, this security breach cost the organization \$200,000. This security breach cost the organization \$1 million. So the question is, how’d they come up with that number? Where did that really come from?

Because it’s not just the damage that was done during that particular event, but also all of the money that was spent on man hours and things, that it took to resolve that issue internally. There’s a lot of dollars that go after the fact that then cleanup, and getting new equipment, in solving some of the problems that occurred during that particular event.

So there needs to be way to calculate risk, and a very simple way is to start with the likelihood of the risk. So you should look at the particular risk, and understand, how often do you expect this to occur maybe in a year? We’ll use an annualized rate of occurrence, an ARO.

So if we are as an organization and we’re wondering, how often can we expect our hurricane to hit our headquarters? If you’re in Montana, your annualized rate of occurrence is probably going to be very small. If you’re in Florida, it might be a little bit larger. It’s probably going to be a lot larger, and it’s something to consider because, here, we’re making a best guess. How often can we expect something like this to occur?

And maybe it’s not just a hurricane– how often can we expect that we’re going to have someone traveling with a laptop, and that laptop is going to be stolen, or it’s going to be lost? How often should we expect something like that to occur? It’s unfortunate that that occurs, but we have to think about that when we’re planning for the risk.

Then we can take that particular event, and if that occurs, what is a loss from a single event occurring? If it’s a laptop being stolen, maybe that laptop’s worth \$1,000, or \$2,000, or \$5,000. When that laptop is, stolen what is the loss associated with that? And it’s not just the monetary loss of the laptop, then you also have the time lost the person is on the road without a laptop. You have to buy a new laptop, there’s the purchasing process, there’s dollars associated with that. You need to consider all of that in a single loss expectancy. So that particular loss occurs, what is that?

Now in the case of something like a hurricane hitting, that loss expectancy has a very broad number associated with it. There’s not a set the value. So it may be a very conservative number, or very liberal number, in dealing with how broad you’re considering that single lost to be. But in this example here, let’s say it’s a laptop stolen. It’s \$1,000 in that single loss if you happen to lose a laptop

So if you want to compute what the loss would be annually– take how often your annualized rate of occurrence might be, take what a single loss might be, and just multiply those together. So if you have seven laptops stolen in a year, that your ARO. And the single loss expectancy of a single laptop’s \$1,000, then over an entire year we can expect there will be \$7,000 of risk calculated based on what we know so far.

And if there’s an uptick then we’re going to lose more, if we have less of those occur then we’ll lose less. But this is how we’re calculating risk for the year. We can start budgeting for this, we can start planning for this. Maybe we want to now get insurance based on these laptops because now we’re spending a lot of money.

When people lose laptops, we need to have some type of mitigation in place that’s not going to cost us \$7,000 out of pocket every time. And it might also help you– get additional software or hardware the might help you track some of these laptops if they happen to be stolen or lost, and maybe you could recover some of them. And knowing that risk calculation number now allows you to do the business case.

Well, if it costs us \$10,000 to get software to track laptops, well, that doesn’t make sense– we’re only losing \$7,000 in a year. So, we can probably deal with that amount of risk, and if we happen to get more stolen in the year, we can revisit it then. Very valuable numbers to have. And if somebody shows up and says, we’re thinking that this might be an issue, you may have to calculate some risk associated with that. Get that into your budget, into your business planning process, and certainly into the policies that you’ll be setting.

There’s another important consideration when calculating risk, and that’s the risk value isn’t just dollars. Whenever you’re dealing with any type of risk– there’s loss of information, somebody loses a laptop– there might be information on that laptop that could harm the company, should it get into somebody else’s hands. And that is something you really can’t calculate with dollars.

There’s a quantitative value that you have with your dollars, but also a qualitative value you have to consider with risk. If there is a very risky amount of information that’s on a laptop, maybe that’s your justification for using encryption software, full disk encryption software, on that laptop. So even if that laptop is stolen, the worst case is that we’re only losing \$1,000. And even if the quality of data on that laptop was such that would cause us more risk, we’re protected against that. And that may be your business justification for that. That becomes a little bit more of a challenge– you have to sit down with people and discuss how the quality of that risk changes if that particular data, or information, or event occurs– but always something to consider, especially when you’re calculating risk.

Category: CompTIA Security+ SY0-401