Risk Management Explain the Difference

Risk Management

Explain the difference between a Quantitative and Qualitative Analysis and discuss how to calculate the following: expected loss, single loss expectancy, annualized loss expectancy and safeguard value.

Quantitative analysis is when you are looking at specific variables (i.e. mathematical formulas) to understand the over nature of the threat or issues surrounding an IT protocol. ("Quantitative Analysis," 2011) Qualitative analysis is when you examining numerous formulas to comprehend the overall scope the risks facing a particular system. The way that expected loss is calculated is by taking the probability that a certain positive event will happen (usually in the form of percentage) and adding it to specific negative situations that could occur. The way single loss expectancy is calculated is by taking the asset value and multiplying it into the exposure factor. To determine the annualized loss expectancy you would multiply the single loss expectancy into the annual rate of occurrence. The safeguard value is determined by subtracting the annual loss expectancy rate before the incident from the annualized loss expectancy after an incident. You would then subtract these numbers from the annual safeguard costs (Landoll, 2006, pg. 417)

Describe the differences between the following risk assessment methods: FAA Security Risk Management Process, OCTAVE, FRAP, CRAMM, and NSA IAM.

The FAA Security Risk Management Process was designed to provide everyone with a workable solution for understanding the risks facing a particular protocol throughout the life cycle management procedure. It provides a qualitative method for the kinds of level formulas, descriptions and calculations. OCTAVE establishes a process for guidelines, time lines, checklists and the methodology description for a security assessment procedure. It includes a number of different phases most notably: asset-based threat profiles, infrastructure vulnerability identification and security strategy development. FRAP is when you are using the qualitative method to understand the nature of the threat in a three step process over the course of ten days. CRAMM is a qualitative tool that examines the methodology, computations and reporting of various computation models. The NSA IAM is a risk assessment tool that assesses risks through: pre-assessment procedures, an onsite visit and post assessment analysis. This usually takes place with 2 to 3 people conducting the examination. (Landoll, 2006, pp. 427 -- 430)

If you could, which security reporting methodology would recommend to promote an organizational security culture, in which stakeholders are more knowledgeable and proactive about threats to information security? Discuss this question as a group.

The most effective security reporting procedure is to use the OCTAVE-based methodology. The reason why is because, they are utilizing solutions that will address the total nature of the threat in comparison with the others. For any kind of organization, this helps them to understand what kinds of issues that they could be facing and the impact that it will have on the entity itself. At the same time, it provides a workable formula that can be continually utilized through the various checklists and procedures that they have established. When you put these different elements together, they are illustrating how this kind of approach will help an organization to be able to effectively deal with a variety of threats. While allowing them to: effectively train personnel to understand the overall nature of what is taking place and how to quickly adjust to changes that are occurring. This is the point that an entity can be able to adapt to the various threats that they are facing.

Define which reporting methodologies are more appropriate and in what settings. Technical Security reporting or Security management assessment reporting. How do compliance initiatives affect the reporting methodology selected for a given Security Risk Assessment?