Quantitative Risk Analysis定量风险分析

Quantitative Risk Analysis

定量风险分析

The quantitative method results in concrete probability indications or a numeric indication of relative risk potential. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards. This report is usually fairly easy to understand, especially for anyone with knowledge of spreadsheets and budget reports. Think of quantitative analysis as the act of assigning a quantity to risk—in other words, placing a dollar figure on each asset and threat impact. However, a purely quantitative analysis is not sufficient—not all elements and aspects of the analysis can be accurately quantified because some are qualitative, subjective, or intangible.

The process of quantitative risk analysis starts with asset valuation and threat identification (which can be performed in any order). This results in asset-threat pairings that need to have estimations of harm potential/severity and frequency/likelihood assigned or determined. This information is then used to calculate various cost functions that are used to evaluate safeguards.

The major steps or phases in quantitative risk analysis are as follows (see Figure 2.3, with terms and concepts defined after this list of steps):

1.Inventory assets, and assign a value (asset value [AV]).

2.Research each asset, and produce a list of all possible threats to each individual asset. This results in asset-threat pairings.

3.For each asset-threat pairing, calculate the exposure factor (EF).

4.Calculate the single loss expectancy (SLE) for each asset-threat pairing.

5.Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO).

6.Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).

7.Research countermeasures for each threat, and then calculate the changes to ARO, EF, and ALE based on an applied countermeasure.

8.Perform a cost/benefit analysis of each countermeasure for each threat for each asset.Select the most appropriate response to each threat.

The cost functions associated with quantitative risk analysis include the following:

Exposure Factor The exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. The EF can also be called the loss potential. In most cases, a realized risk does not result in the total loss of an asset. The EF simply indicates the expected overall asset value loss because of a single realized risk. The EF is usually small for assets that are easily replaceable, such as hardware. It can be very large for assets that are irreplaceable or proprietary, such as product designs or a database of customers. The EF is expressed as a percentage. The EF is determined by using historical internal data, performing statistical analysis, consulting public or subscription risk ledgers/registers, working with consultants, or using a risk management software solution.

Single-Loss Expectancy The single-loss expectancy (SLE) is the potential loss associated with a single realized threat against a specific asset. It indicates the potential amount of loss an organization would or could experience if an asset were harmed by a specific threat occurring.

The SLE is calculated using the following formula:

The SLE is expressed in a dollar value. For example, if an asset is valued at $200,000 and it has an EF of 45 percent for a specific threat, then the SLE of the threat for that asset is $90,000. It is not always necessary to calculate an SLE, as the ALE is the most commonly needed value in determining criticality prioritization. Thus, sometimes during risk calculation, SLE may be skipped entirely.

Annualized Rate of Occurrence The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. The ARO can range from a value of 0.0 (zero), indicating that the threat or risk will never be realized, to a very large number, indicating that the threat or risk occurs often. Calculating the ARO can be complicated. It can be derived by reviewing historical internal data, performing statistical analysis, consulting public or subscription risk ledgers/registers, working with consultants, or using a risk management software solution. The ARO for some threats or risks is calculated by multiplying the likelihood of a single occurrence by the number of users who could initiate the threat. ARO is also known as a probability determination. Here’s an example: the ARO of an earthquake in Tulsa may be .00001, whereas the ARO of an earthquake in San Francisco may be .03 (for a 6.7+ magnitude), or you can compare the ARO of an earthquake in Tulsa of .00001 to the ARO of an email virus in an office in Tulsa of 10,000,000.

Annualized Loss Expectancy The annualized loss expectancy (ALE) is the possible yearly loss of all instances of a specific realized threat against a specific asset. The ALE is calculated using the following formula:

For example, if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. If the ARO for a specific threat (such as compromised user account) is 15 for the same asset, then the ALE would be $1,350,000.

The task of calculating EF, SLE, ARO, and ALE for every asset and every threat/risk is a daunting one. Fortunately, quantitative risk assessment software tools can simplify and automate much of this process. These tools produce an asset inventory with valuations and then, using predefined AROs along with some customizing options (industry, geography, IT components, and so on), produce risk analysis reports.

Once an ALE is calculated for each asset-threat pairing, then the entire collection should be sorted from largest ALE to smallest. Although the actual number of the ALE is not an absolute number (it is an amalgamation of intangible and tangible value multiplied by a future prediction of loss multiplied by a future prediction of likelihood), it does have relative value. The largest ALE is the biggest problem the organization is facing and thus the first risk to be addressed in risk response.

The “Cost vs. Benefit of Security Controls” section, later in this chapter, discusses the various formulas associated with quantitative risk analysis that you should be familiar with.

Both the quantitative and qualitative risk analysis mechanisms offer useful results. However, each technique involves a unique method of evaluating the same set of assets and risks. Prudent due care requires that both methods be employed in order to obtain a balanced perspective on risk. Table 2.1 describes the benefits and disadvantages of these two systems.

TABLE 2.1 Comparison of quantitative and qualitative risk analysis

At this point, the risk management process shifts from risk assessment to risk response. Risk assessment is used to identify the risks and set criticality priorities, and then risk response is used to determine the best defense for each identified risk.

*****************************************

定量方法的结果是具体的概率指示或相对风险潜力的数字指示。这意味着最终的结果是一份报告，其中有风险水平、潜在损失、应对措施的成本和保障措施的价值的美元数字。这份报告通常相当容易理解，特别是对任何具有电子表格和预算报告知识的人来说。把定量分析看作是给风险分配一个数量的行为--换句话说，给每个资产和威胁影响设定一个美元数字。然而，纯粹的定量分析是不够的--不是所有的元素和方面都可以准确地量化，因为有些是定性的，主观的，或无形的。

定量风险分析的过程从资产评估和威胁识别开始（可以按任何顺序进行）。这导致了资产与威胁的配对，需要分配或确定伤害潜力/严重程度和频率/可能性的估计。然后，这些信息被用来计算各种成本函数，用于评估保障措施。

定量风险分析的主要步骤或阶段如下（见图2.3，术语和概念在此步骤清单后定义）。

1.清点资产，并分配价值（资产价值[AV]）。

2.研究每项资产，并编制一份对每项资产的所有可能威胁的清单。这就产生了资产-威胁配对。

3.对于每个资产-威胁配对，计算暴露系数（EF）。

4.计算每个资产-威胁配对的单一损失预期（SLE）。

5.进行威胁分析，计算每个威胁在一年内实现的可能性，即年化发生率（ARO）。

6.通过计算年化损失预期（ALE），得出每个威胁的总体损失潜力。

7.研究每个威胁的对策，然后计算基于应用对策的ARO、EF和ALE的变化。

8.对每个资产的每个威胁的每个对策进行成本/效益分析。选择对每个威胁最合适的应对措施。

与定量风险分析有关的成本函数包括以下内容。

暴露系数 暴露系数(EF)代表一个组织在特定的资产受到已实现的风险侵害时将会经历的损失百分比。EF也可以被称为损失潜力。在大多数情况下，一个已实现的风险不会导致资产的全部损失。EF只是表示由于一个已实现的风险而导致的预期整体资产价值损失。对于那些容易替换的资产，如硬件，EF通常很小。对于不可替代的或专有的资产，如产品设计或客户数据库，它可能非常大。EF是以百分比表示的。EF是通过使用内部历史数据，进行统计分析，咨询公共或订阅的风险分类帐/登记册，与顾问合作，或使用风险管理软件解决方案来确定的。

单一损失期望值 单一损失期望值（SLE）是指与针对特定资产的单一已实现威胁有关的潜在损失。它表明，如果一项资产受到特定威胁的损害，一个组织将会或可能会经历的潜在损失金额。

SLE是用以下公式计算的。

SLE是以美元价值表示的。例如，如果一项资产的价值是200,000美元，它对某一特定威胁的EF值为45%，那么该资产的SLE为90,000美元。并不总是需要计算SLE，因为ALE是确定关键性优先级时最常用的数值。因此，有时在风险计算过程中，SLE可能被完全跳过。

年发生率 年发生率（ARO）是指某一特定威胁或风险在一年内发生（即实现）的预期频率。ARO的范围可以是0.0（零），表示该威胁或风险永远不会实现，也可以是一个非常大的数字，表示该威胁或风险经常发生。计算ARO可能很复杂。它可以通过审查内部历史数据，进行统计分析，咨询公共或订阅的风险分类帐/登记册，与顾问合作，或使用风险管理软件解决方案而得出。某些威胁或风险的ARO是通过将单一事件发生的可能性乘以可能启动该威胁的用户数量来计算的。ARO也被称为概率测定。这里有一个例子：塔尔萨地震的ARO可能是0.00001，而旧金山地震的ARO可能是0.03（对于6.7以上的震级），或者你可以将塔尔萨地震的ARO为0.00001与塔尔萨办公室的电子邮件病毒的ARO为10000000进行比较。

年化损失期望值 年化损失期望值（ALE）是指针对特定资产的所有已实现威胁的情况下可能的年度损失。ALE是用以下公式计算的。

例如，如果一项资产的SLE是90,000美元，特定威胁的ARO（如完全断电）是0.5，那么ALE就是45,000美元。如果同一资产的特定威胁（如用户账户受损）的ARO为15，那么ALE将为135万美元。

为每项资产和每项威胁/风险计算EF、SLE、ARO和ALE是一项艰巨的任务。幸运的是，定量风险评估软件工具可以简化这一过程并使之自动化。这些工具产生一个带有估值的资产清单，然后，使用预定义的ARO和一些自定义选项（行业、地理、IT组件等），产生风险分析报告。

一旦为每个资产-威胁配对计算出ALE，那么整个集合应从最大的ALE到最小的进行排序。尽管ALE的实际数字不是一个绝对数字（它是一个无形和有形价值乘以未来损失预测乘以未来可能性预测的综合体），但它确实具有相对价值。最大的ALE是组织所面临的最大问题，因此是风险应对中首先要解决的风险。

本章后面的 "安全控制的成本与效益 "部分讨论了与定量风险分析相关的各种公式，你应该熟悉这些公式。

定量和定性的风险分析机制都能提供有用的结果。然而，每一种技术都涉及评估同一组资产和风险的独特方法。谨慎的尽职调查要求同时采用这两种方法，以获得对风险的平衡观点。表2.1描述了这两个系统的好处和坏处。

TABLE 2.1 Comparison of quantitative and qualitative risk analysis

风险管理过程从风险评估转移到风险反应。风险评估被用来识别风险和设定关键性优先级，然后风险应对被用来确定对每个被识别的风险的最佳防御。