Friday, October 16, 2009

Qualitative Risk Assessment

The CompTIA Security+ (SY0-201 exam) includes many objectives on risk assessments.  One type of risk assessment is the qualititative risk assessment.

A qualitative risk assessment uses numbers or values to categorize risks based on probability and impact. (Quantitative risk assessments use dollar figures to calculate SLE and ALE.)

As an example, terms such as low, medium, and high could be used or the numbers one through ten could be used. The two categories often included in a qualitative risk assessment are probability and impact.

  • Probability. The likelihood an event will occur. For example, the probability that an Internet-facing web server will be attacked is close to 100 percent and could be given a numerical value of 10. However, the likelihood that an internal workstation in the library with no Internet access will be attacked through the Internet is very low, so it could be given a numerical value of 1.
  • Impact. The negative result of the event occurring. If the web server is down, the impact may be considered significant and given a value of 10. If the library workstation is down, a library patron may be inconvenienced, so it may be given a value of 1.
Now the risk can be calculated by multiplying the probability and the impact.

  • Web server. 10 * 10 = 100
  • Library computer. 1 * 1 = 1
A manager can look at these numbers and easily determine how to allocate resources to protect against the risks. More resources would be allocated to protect the web server than the library computer.

While these two examples are extreme to show how the model can be used, the model can help identify the priorities in the middle ranges which are more difficult determine.

You can read about quantitative risk assessments here.
Good luck on your Security+ exam!

Darril Gibson