This document discusses risk analysis and management principles. It defines key terms like threat, vulnerability, risk, and safeguards. It explains how to calculate risk by multiplying threat by vulnerability. It also provides examples of how to calculate annualized loss expectancy and total cost of ownership for safeguards. Finally, it discusses how to determine return on investment and choose between risk acceptance, mitigation, transfer, or avoidance options.

1. Onur YÜKSEKTEPELİ
Bilgi Güvenliği Danışmanı
www.onuryuksektepeli.com
twitter.com/oyuksektepeli
facebook.com/onuryuksektepeli

2. Risk Analysis and Management
Risk Management – Principles and Guidelines
ISO 31000:2009

3. Unique Terms and Definitions
Annualized Loss Expectancy - The Cost of loss due to a Risk over a year
Threat – A Potentially negative occurence
Vulnerability – A Weakness in a System
Risk – A Matched Threat and Vulnerability
Safeguard – A Measure taken to Reduce Risk
Total Cost of Ownership – The Cost of a Safequard
Return of Investment – Money Saved by deploying a Safeguard

4. What is Risk?
Risk = Threat x Vulnerability

5. Example: Earthquake Disaster Risk Index
San Francisco – Near the Pasicific Ocean
Boston - Northeast
San Francisco Threat, 4
San Francisco vulnerability, 2
San Francisco risk = 4 x 2 = 8
Boston Threat, 2
Boston Vulnerability, 4
Boston Risk = 2 x 4= 8
Rachel Davidson Earthquake Disaster Risk Index
http://www.sciencedaily.com/releases/1997/08/970821233648.htm

6. IMPACT
 Severity of the Damage
Risk = Threat x Vulnerability x Impact
Empty Building Risk = 2 (threat) x 4 (vulnerability) x 2 (impact) = 16
Full Building Risk = 2 (threat) x 4 (vulnerability) x 5 = 40

7. Risk Analysis Matrix

8. Calculating Annualized Loss Expectancy

9. Calculating Annualized Loss Expectancy
ALE = Annual Cost of a loss due to risk
Asset Value= Value of the asset you are trying to protect
Stolen Computer Example:
Hardware Cost = 2500$
Data Cost = 22.500$
Asset Value = 25000$
Asset Value
 Market Approach
 Income Approach
 Cost Approach

10. Calculating Annualized Loss Expectancy
 Exposure Factor
The Percentage of value an asset lost due to an incident.
Exposure Factor of Stolen Computer = %100
Singel Loss Expectancy (SLE)
The Cost of a single loss.
SLE = Asset Value (25000$) x Exposure Factor(%100) = 25000$
 Annual Rate of Occurrence (ARO)
Number of losses you suffer per year.
ARO = 11
Annualized Loss Expectancy
ALE = SLE (25000) x ARO (11) = 275000$

11. Total Cost of Ownership
Total Cost of Ownership (TCO) is the total cost of a mitigating safequard.
Total Cost of Ownership must contain;
• One – Time capital expense
• Annual Cost
• Staff Hours
• Ventor Maintenance fees
• Software Subscriptions etc.

12. Total Cost of Ownership
1000 Laptops
Software = $100/laptop = 100000$
Annual Support Fee = %10 Annually 10000$
4000 Staff Hours
$50 / hour
$20 / hour
$70/ hour x 4000 = 280000$
3 Years Technology Refresh Cycle
Software Cost = $100000
3 Years of Vendor Support = $10000 x 3 = $30000
Hourly Staff Cost = $280000
TCO for 3 Years = $410000
TCO per Year = $410000 / 3 = 136,667/year

13. Return of Investment
The Amount of Money saved by implementing a safeguard.
TCO < ALE – Postive ROI, Good Choice
TCO > ALE – Negative ROI, Poor Choice
TCO = $136,667
ALE = $275,000
After Encryption Implement
Asset Value = $25000 - $22500 = 25000
Exposure Factor = %10
$275000 * %10 = $27,5000
By Making Investment
You Save;
Old ALE ($275,000) – New ALE ($27,500) = $247,500
Your ROI = $247,500 - $136,667 = $110,833

14. Risk Choice
Accept the Risk
Mitigate the Risk
Transfer the Risk
Risk Avoidance

15. Onur YÜKSEKTEPELİ
Bilgi Güvenliği Danışmanı
www.onuryuksektepeli.com
twitter.com/oyuksektepeli
facebook.com/onuryuksektepeli