5Terms Quantitative Analysis In finance, someone who applies mathematics, among others stochastic calculus to FinanceThe process of assigning a value to an item
6Business Impact Analysis A Business Impact Analysis (BIA) is an information-gathering exercise designed to methodically identify:1. The processes or functions performed by an organization 2. The resources required to support each process performed 3. Interdependencies between processes and/or departments 4. The impact of failing to performing a process 5. The criticality of each process 6. A Recovery Time Objective (RTO) for each process 7. A Recovery Point Objective (RPO) for the data that supports each processOften performed as a step in the development of business continuity plans, the BIA, along with Risk Analysis (RA), provides the foundation for developing and selecting a business continuation strategy that will allow the organization to continue to perform critical processes in the event of a disruption
7Annual Loss Expectancy Annual Loss Expectancy (ALE) - The calculation by which you determine the potential loss that will occur annually.Single Loss Expectancy (SLE) –Annual Rate of Occurrence (ARO) -Annual Loss Expectancy (ALE) = SLE x AROAALE – Acceptable Annual Loss Expectancy – Do you have one?
8Single Loss Expectancy Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset.It is mathematically expressed as:SLE = NA x AVWhere the Asset Value (AV) is a dollar amount and the Number of Assets (NA) is the quantity. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed (euros, dollars, yens, etc).
9What Define Impact How Detailed to make it Where the data comes from What format will you deliver it inGraphs, charts and other wasted informationKEEP IT SIMPLE!!!!!!!!!
10Why Qualify actual costs What is the business risk What is the technical risk and why are they differentJustify projects and their spendCost Avoidance
11Who Don’t make up data Who is your target Audience ManagementNon-ManagementTechnicalOtherWho supports putting the data togetherWhat is your sourceDon’t make up data
12DON’T INFLATE YOUR NUMBERS – HowDefine what your analyzingDefine your attack vectors (more is better)Define the potential impact – What is going to be lostDefine your costs and do the mathDON’T INFLATE YOUR NUMBERS –Use realistic numbers
13PTA Practical Threat Analysis Assets Threats Vulnerabilities A calculative threat modeling methodology and software technology that assists computer security consultants and software developers in assessing system risks and building the most effective risk reduction policy for their system.AssetsThreatsVulnerabilitiesCountermeasuresImplemented CountermeasuresEntry PointsAttacker TypesTags
19Example 1 – Database Lost Stolen LaptopScenario – An employee in marketing has several large accounts. These individuals buy widgets from him. On his laptop he has 400 clients information that includes all their contact, billing and purchasing record.His laptop is “stolen” out of the trunk of his car on a Friday night while he is in having a beer with some friends. He does not notice its gone until Monday morning when he gets back to work.
20Analysis400 clients – Name, Address, Account Number – Credit Card NumberDirect Loss - Notification - Legal fees - FinesPonemon Institute (per record costs)$140 – Notification / Credit service$94 – Reputation damage (lost customers, new customers, loss of data, etc.)$134 per record$53,600 - Total loss cost per incidentCost to encrypt a Laptop – $389 PGPCost if the workstation has Vista - $0
21Calculating odds of occurrence 1 in 14 laptops will be stolen in 2007 – FBI85 employees carry laptops with client data on them.6 laptops will be lost or stolen annually$321,600 loss potential (bottom Line impact)$33,065 to encrypt all laptops
22For More Information Resources Calculators Ponemon Institute -FBI – Crimes statistics and CSI report -Gartner -Wikipedia -Security Focus -PTA – Practical Threat Analysis –CalculatorsInformation Shield -Tech 404 –