Chapter4-Quantitative analysis

advertisement
Chapter(4)
Quantitative Risk Analysis
Risk Model
Quantitative Analysis
• Quantitative analysis utilizes techniques such as
simulation and decision tree analysis to provide data
on:
– The impact to cost or schedule for risks
– The probability of meeting project cost and/or schedule
targets
– Realistic project targets on cost, schedule, and/or scope
• Qualitative analysis should occur prior to conducting
quantitative analysis.
• Not every risk needs to go through quantitative
analysis.
Quantitative Analysis
• If quantitative analysis is to be used, then this
section should contain information on:
– Defined criteria for which risks go through
quantitative analysis
– Technique(s) to be utilized
– Expected outputs of quantitative analysis
Advantages of Quantitative Analysis
• Although a qualitative risk analysis may be easier to do at
times; a quantitative risk analysis offers the following
distinct advantages:
1. More objectivity in its assessment
2. More powerful selling tool to management
3. Offers direct projection of cost/benefit of proposal
4. Can be fine-tuned to meet the needs of specific situations
5. Can also be modified to fit the needs of specific industries
6. Much less prone to arouse disagreements during
management review
7. Analysis is often derived from some irrefutable facts
Quantitative Analysis Process
• After you’ve gathered a considerable amount of data to
this point, you will need to analyze this information to:
– Determine the probability of a risk occurring,
– What is affected,
– The costs involved with each risk.
• Assets will have different risks associated with them,
and you will need to correlate different risks with each
of the assets inventoried in a company.
• Some risks will impact all of the assets of a company,
such as the risk of a massive fire destroying a building
and everything in it, while in other cases; groups of
assets will be affected by specific risks.
Quantitative Analysis Process
• Assets of a company will generally have multiple
risks associated with them.
• Equipment failure, theft, or misuse can affect
hardware.
• While viruses, upgrade problems, or bugs in the
code may affect software.
• By looking at the weight of importance associated
with each asset:
– You should then prioritize which assets will be
analyzed first.
– Determine what risks are associated with each.
Quantitative Analysis Process
• Once you’ve determined what assets may be
affected by different risks,
• you then need to determine the probability of
a risk occurring.
• While there may be numerous threats that
could affect a company, not all of them are
probable.
• For this reason, a realistic assessment of the
risks must be performed.
Annualized Rate of Occurrence (ARO)
• Historical data can provide information on how
likely it is that a risk will become reality within a
specific period of time.
• Research must be performed to determine the
likelihood of risks within a locality or with certain
resources.
• By determining the likelihood of a risk occurring
within a year, you can determine what is known
as the Annualized Rate of Occurrence (ARO).
Annualized Rate of Occurrence (ARO)
• Information for risk assessment can be acquired through a
variety of sources.
• Police departments may be able to provide crime statistics
on the area your facilities are located, allowing you to
determine the probability of vandalism, break-ins, or
dangers potentially encountered by personnel.
• Insurance companies will also provide information on risks
faced by other companies, and the amounts paid out when
these risks became reality.
• Other sources may include news agencies, computer
incident monitoring organizations, and online resources.
Single Loss Expectancy (SLE)
• Once the ARO has been calculated for a risk,
• you can then compare it to the monetary loss associated with an asset.
• This is the dollar value that represents how much money would be lost if
the risk occurred.
• You can calculate this by looking at the cost of fixing or replacing the asset.
• For example, if a router failed on a network, you would need to purchase a
new router, and pay to have the new one installed.
• In addition to this, the company would also have to pay for employees
who aren’t able to perform their jobs because they can’t access the
network.
• This means that the monetary loss would include the price of new
equipment, the hourly wage of the person replacing the equipment, and
the cost of employees unable to perform their work.
• When the dollar value of the loss is calculated, this provides total cost of
the risk, or the Single Loss Expectancy (SLE).
Annual Loss Expectancy (ALE)
•
•
•
•
•
•
•
•
To plan for the probable risk, you would need to budget for the possibility that the
risk will happen.
To do this, you need to use the ARO and the SLE to find the Annual Loss
Expectancy (ALE).
To illustrate how this works, let’s say that the probability of a Web server failing is
30 percent.
This would be the ARO of the risk.
If the e-commerce site hosted on this server generates $10,000 an hour and the
site would be estimated to be down two hours while the system is repaired, then
the cost of this risk is $20,000.
In addition to this, there would also be the cost of replacing the server itself.
If the server cost $6000, this would increase the cost to $26000. This would be the
SLE of the risk.
By multiplying the ARO and the SLE, you would find how much money would need
to be budgeted to deal with this risk.
Annual Loss Expectancy (ALE)
• This formula provides the ALE:
•
•
•
•
ARO x SLE = ALE
When looking at the example of the failed server
hosting an e-commerce site, this means the ALE would
be:
.3 x $26,000 = $7,800
To deal with the risk, you need to assess how much
needs to be budgeted to deal with the probability of
the event occurring.
The ALE provides this information, leaving you in a
better position to recover from the incident when it
occurs.
Exercise: Determining the Annual Loss
Expected to Occur From Risks
• A widget manufacturer has installed new network servers, changing
its network from a peer-to-peer network to a client/server-based
network.
• The network consists of 200 users who make an average of $20 an
hour, working on 100 workstations.
• Previously, none of the workstations involved in the network had
anti-virus software installed on the machines.
• This was because there was no connection to the Internet, and the
workstations didn’t have floppy disk drives or Internet connectivity,
so the risk of viruses was deemed minimal.
• One of the new servers provides a broadband connection to the
Internet, which employees can now use to send and receive email,
and surf the Internet.
Exercise – Cont.
• One of the managers read in a trade magazine that other
widget companies have reported an 80 percent chance of
viruses infecting their network after installing T1 lines and
other methods of Internet connectivity,
• and that it may take upwards of three hours to restore data
that’s been damaged or destroyed.
• A vendor will sell licensed copies of anti-virus software for
all servers and the 100 workstations at a cost of $4,700 per
year.
• The company has asked you to determine the annual loss
that can be expected from viruses, and determine if it is
beneficial in terms of cost to purchase licensed copies of
anti-virus software
Exercise – Cont.
1. What is the Annualized Rate of Occurrence
(ARO) for this risk?
2. Calculate the Single Loss Expectancy (SLE) for
this risk.
3. Using the formula ARO x SLE = ALE, calculate the
Annual Loss Expectancy.
4. Determine whether it is beneficial in terms of
monetary value to purchase the anti-virus
software by calculating how much money would
be saved or lost by purchasing the software.
ANSWERS TO EXERCISE QUESTIONS
1. The Annualized Rate of Occurrence (ARO) is
the likelihood of a risk occurring within a year.
The scenario states that trade magazines
calculate an 80% risk of virus infection after
connecting to the Internet, so the ARO is 80%
or .8.
ANSWERS TO EXERCISE QUESTIONS
2. The Single Loss Expectancy (SLE) is the dollar value of the
loss that equals the total cost of the risk.
• In the case of this scenario, there are 200 users who make
an average of $20 per hour.
• Multiplying the number of employees who are unable to
work due to the system being down by their hourly income,
this means that the company is losing $4,000 an hour (200
x $20 = $4000).
• Because it may take up to three hours to repair damage
from a virus, this amount must be multiplied by three
because employees will be unable to perform duties for
approximately three hours.
• This makes the SLE $12,000 ($4,000 x 3 = $12,000).
ANSWERS TO EXERCISE QUESTIONS
3. The ALE is calculated by multiplying the ARO
by the SLE (ARO x SLE = ALE). In this case, this
would mean that you would multiply $12,000
by 80 percent (.8) to give you $9,600 (.8 x
$12,000 = $9,600). Therefore, the ALE is
$9,600.
ANSWERS TO EXERCISE QUESTIONS
4. Because the ALE is $9,600, and the cost of
the software that will minimize this risk is
$4,700 per year, this means that the company
would save $4,900 per year by purchasing the
software ($9,600 - $4,700 = $4900).
Download