Page 201 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 201

process involves asset valuation and threat identification and then
               determining a threat’s potential frequency and the resulting damage;

               the result is a cost/benefit analysis of safeguards.

               Be able to explain the concept of an exposure factor (EF). An
               exposure factor is an element of quantitative risk analysis that
               represents the percentage of loss that an organization would
               experience if a specific asset were violated by a realized risk. By
               calculating exposure factors, you are able to implement a sound risk

               management policy.
               Know what single loss expectancy (SLE) is and how to

               calculate it. SLE is an element of quantitative risk analysis that
               represents the cost associated with a single realized risk against a
               specific asset. The formula is SLE = asset value (AV) * exposure factor
               (EF).

               Understand annualized rate of occurrence (ARO). ARO is an
               element of quantitative risk analysis that represents the expected

               frequency with which a specific threat or risk will occur (in other
               words, become realized) within a single year. Understanding AROs
               further enables you to calculate the risk and take proper precautions.

               Know what annualized loss expectancy (ALE) is and how to
               calculate it. ALE is an element of quantitative risk analysis that
               represents the possible yearly cost of all instances of a specific realized
               threat against a specific asset. The formula is ALE = single loss

               expectancy (SLE) * annualized rate of occurrence (ARO).

               Know the formula for safeguard evaluation. In addition to
               determining the annual cost of a safeguard, you must calculate the
               ALE for the asset if the safeguard is implemented. Use the formula:
               ALE before safeguard – ALE after implementing the safeguard –
               annual cost of safeguard = value of the safeguard to the company, or
               (ALE1 – ALE2) – ACS.


               Understand qualitative risk analysis. Qualitative risk analysis is
               based more on scenarios than calculations. Exact dollar figures are not
               assigned to possible losses; instead, threats are ranked on a scale to
               evaluate their risks, costs, and effects. Such an analysis assists those
   196   197   198   199   200   201   202   203   204   205   206