Quantitative analysis and qualitative analysis are going to be the mechanisms, the methods we use to determine impact. Quantitative analysis is a numerical measure, usually with dollar values associated with it so that we can distill down and measure what the financial impact potentially, of the particular threat in this case that we're talking about being realized is going to have. Quantitative impact analysis assigns a dollar value. How do we do that? We have what's known as a Quantitative Risk Formula. The formula is going to be Annualized Loss Expectancy what's commonly referred to as ALE, the items, the acronyms and the parentheses are just the acronyms referring to the elements of the formula. So Annualized Loss Expectancy or ALE is made up of two contributing parts, Single Loss Expectancy, SLE, S-L-E, multiplied by Annualized Rate of Occurrence or ARO. So the formula is traditionally referred to as ALE equals SLE times ARO. Let's walk through an example of this just to give you a sense of how we would quantitatively do an impact assessment. Let's say that we have a company called ABC Corp., and let's say that ABC Corp., is doing a risk assessment. They're working through this whole process and they're looking at the impact portion of this, determining impact as we are. And they want to understand what would happen if a bad actor, a threat source was able to overcome a control of firewall and break into the internal network and is able to do that to steal information. What would the outcome of that be? Well, we'd have to know a couple of things. First of all, we'd have to know how often over a year long period we think that that attack would take place and be successful. That's the Annualized Rate of Occurrence, how many times would occur over a given year, the ARO value. Let's say that it occurs four times, once a quarter. Every quarter at least one time, we think that we will see a successful breach in the firewall. Okay, no problem. We're going to put that over here in the corner and we're going to just make a little note here, I'm going to just get my pen out, allow me just scrab some ink, and we're going to say that ARO, is going to be equal to four times, four times. Now, we have to figure out what the Single Loss Expectancy is going to be. When one of these events occurs, how much does it cost us? Well, we go back to the scenario ABC Corp., got a firewall, somebody is going to try to break in, if they break in, they're going to be able to do that probably four times over a given year. What's going to happen when they break in? They're going to steal some stuff. Okay. What are they going to steal? They'll steal some information. How much does that cost us when they do it? Every time they steal that information, cost us $2,000. Okay, no problem. Single Loss Expectancy is going to be equal $2,000. I'm just going to put right over here, little dollar sign and I'm going to put, looks more like two dollars than 2,000, just going to have to bear with me here because I'm free handing this, $2,000 that will be close enough. So $2,000. So Annualized Loss Expectancy, ALE is made up of multiplying what the Single Expectancy for a single hit is going to be, times the number of times that it will occur over a given year. Well, if the Single Expected Loss is 2,000 US, and it happens four times a year, that if we multiply those two together, what do we get at the bottom? We should get, thought your [inaudible] there on the eight for a second, because I went off track. We should get $8,000, and that would equal the Annualized Loss Expectancy. Meaning in our little example, it's going to cost us $8,000 a year US, if we allow this to occur. Now that's the quantitative risk form, that's how we measure impact. So we say okay great, it's going to cost us $8,000 if we don't do anything. Now that's all part of the equation, it's only part of what we got to do because now we have to take that $8,000 and what we have to do, we're going to switch in-colors here to represent this so, let's just pull up a different color. What we now are to do is we have to look at what's known as the cost of the countermeasure, right. And the cost of the countermeasure, I'm going to call countermeasure, CM just for purposes of writing out here in short here. The cost of the countermeasure is something we got to weigh or the control that we're going to put in place to prevent this from happening is the countermeasure, we've got to weigh this because if the cost of the countermeasure is going to be equal to, or less than $8,000, it's a good deal because if we implement that over the course of a year or a little bit less depending on how much it costs, we're going to get our money back. If however, it costs us more than 8000, we may have to wait longer to get our money back, and we have to weigh how long this system is going to be available and how often this attack is going to occur and be successful against how much we want to spend to stop it. And so the cost of the countermeasure, let's just say hypothetically in our first example is going to be $6,000. Well, if it's $6,000 then when we do the comparison we're going to see that it's going to be cheaper than the actual attack will cost for the whole year. In other words, countermeasure is going to hurt us less. As a matter of fact, if we allow the attack to go on for three quarters, it will cost us $6,000. So if we spend 6,000 to implement a countermeasure and we use that countermeasure for longer than nine months, we've actually made our money back. It's a good deal because going into the last quarter of the year, it would have cost us another $2,000 if that attack was successful. However, if the countermeasure instead cost us twice that, cost us $12,000, it's still maybe a good deal but now we got to think about whether or not we're going to run this system, this firewall long enough to recoup our money. In other words, that $2,000 a quarter, $8,000 a year, the countermeasure is going to cost us roughly a year and a half's worth of use, going to cost us 18 months to recoup or to break even, and then we got to run it another four months past that in order to get our money back. So as a result of that, what we want to understand is that if we're going to retire this firewall in less than a year and a half, it may actually be cheaper to let the attacks take place than to spend the money on the countermeasure, because a countermeasure will cost us more money. So we have to weigh the cost of the countermeasure, as part of the quantitative risk assessment formula when we determine impact. It becomes very important for us to be able to understand how to do. What do you need to know about this? Well, you need to understand the formula first of all, ALE equals to SLE times ARO, you should be able to apply the formula in the way I just did given a word problem. Extract all the meaningful numbers and multiply four or solve four whatever value is missing, just like a percentage rate and time problem which tend to give you two, you've got to solve for the third, got to figure out how to do that You may be given the Annualized Loss Expectancy and ARO, you may have to divide to get the Single Loss Expectancy. There's lots of ways to do this, figure it out, make sure you know how to manipulate the formula. You also need to understand how to use the formula, to derive an understanding of whether a countermeasure is going to be a good or a bad choice based on the dollar value of the countermeasure, against the impact the dollar value of the impact. Make sure you understand how to do all that. Very very important. Obviously from your perspective, a lot of information to take in, lot of things to consider, lot of things that you probably want to make sure you are comfortable with. Will be a good idea for you to go back over this conversation, make some notes and have a general sense of what we're talking about because again this is pretty important stuff. This is the stuff that an SSCP is going to have to know how to do, if they want to be able to claim that title and put those letters after their names, could be very important.
