This blog provides clarifying information related to IPSec as found on the Security+ exams.
Allow me to recap my goal with this series:
Although CompTIA exams are heavily based upon the published exam objectives, CompTIA tends to expand target material by exposing candidates to potential content on their certification exams. Although such questions are not supposed to count toward the exam score, they may be considered valid or may be mere distractions. If they occur on one of the more time consuming simulation questions they can be rather disruptive to the candidate’s focus.
Since the exam objectives may lag technology introduction by three years or more, you may find it beneficial to consider technology extensions to existing exam objectives during your certification preparations. In that light, I will be providing a growing series that introduces new or potentially expanding content.
For instructor-led CompTIA classes, see our course schedule.
My goal here is to extend the knowledge you may choose to develop when preparing for CompTIA entry level certification exams relative to Risk Analysis content.
One of the primary stated objectives of the CompTIA Security+ SY0-401 exam is:
“ The CompTIA Security+ exam will certify that the successful candidate has the knowledge and skills required to identify risk, to participate in risk mitigation activities, and to provide infrastructure, application, information, and operational security.”
Clearly risk management is a significant topic, ask risk value calculations will always be on the certification exam in some form. Within the detailed Exam Objectives, this blog covers the following material.
2.0 Compliance and Operational Security
2.1 Explain the importance of risk related concepts.
- Risk calculation
I actually prefer the PMBOK 5th Edition approach to calculating risk value better, and teach it within my Security+ classes.
Risk is defined by three elements: a risk event , the probability of the event happening and the impact (positive or negative) on the business outcome if the risk does actually occur. The risk event is an action or activity that has an uncertain outcome. Hence the probability (P) of various outcomes, and the impact (I) for each outcome. The multiplication of P*I yields an Expected Monetary Value (EMV) that is either positive or negative based on the impact (being a negative/loss or positive/gain). Each risk is actually a cumulative outcome of all the EMV’s.
CompTIA refers to P as likelihood and I as Impact, using the same term for outcome value.
So Likelihood Times Impact or Probability Times Impact both yield a cost associated with risk occurrence that may be used to plan the budget for risk preparation or response.
One can value risk quantitatively if you have a numeric value for the probability of an event occurring, and a monetary value for the Impact should the event occur. Methodologies include computer based simulation and manual reproductions called modeling. If you use a computer to determine the possible outcome of 1,000 coin tosses you would call it simulation. If you toss a coin 1,000 times and record the results, you call it modeling. Mathematical models like decision or probability trees are also considered quantitative risk methodologies.
Qualitative risk analysis attempts to arrive at an EMV as well, although without the benefit of starting values for the Probability or Impact. You effectively want to rank the probabilities, giving the highest likelihood a value close to 1.0 (100%) and the lowest closer to zero. You do the same for Impact, using a scale where total value loss is the highest point on the scale, and zero loss is the lowest. The simplest example of qualitative risk analysis is a Stanine sort. Sort all of the outcomes into three categories, high-medium-low. Then sort each of the categories into three subcategories. You end up with HH-MH-LW-HM-MM-LM-HL-ML-LL. You now have 9 categories which can be assigned the values of .9 to .1, respectively. You have converted a qualitative starting point to a quantitative scale. You do the same sort process with impacts, yielding 9 position scale from no loss to total loss. You now multiply the P * I and achieve a relative EMV.
Although it is not on the CompTIA Security+ list of objectives, you want to be aware of the term MTTO. MTTO – Mean Time to Obsolescence is effectively total loss of the value for the event or business objective. (Project management would relate this to BAC – Budget at Completion.)
The goal is to prepare for and respond to any risk before MTTO is reached. MTTO would suggest total project or business failure as an outcome of the risk event, or at least an unchecked or recovered risk event.
CompTIA likes to ask questions about the recovery timeline using the following terms. You want to be clear regarding their meanings.
- MTD – Maximum Tolerable Downtime, is nearly equivalent to MTTO. If you reach MTD, you are nearly at system or business failure without the possibility of viable recovery.
- RPO – Recovery Point Objective, is the point following a risk event at which recovery efforts begin. Note: The RPO might be before the event, for instance the point at which a full backup or recovery image was captured.
- RTO – Recovery Time Objective, is the length of time that business operations can be resumed following a risk event.
- MTBF – Mean time Between Failures, is the average time between the occurrences of a risk event.
- MTTF – Mean time to Failure, is the average time before failure, typically of a non-repairable system. Note: This suggests the system or a component would need to be totally replaced. Think thread-bare tires on your car. You determine the average time before they are useless and aim to replace them beforehand.
- MTTR – Mean Time to Recover, is the average time it takes to recover from a specific risk event.
One simple way to consider the relative terms is the following timeline.
Note that relative placement and durations will vary based on the nature of the event and the recovery process selected.
The other math associated with Risk Analysis uses the remaining three variables in the Objectives list: SLE, ARO, and ALE.
- SLE – Single Loss expectancy. The Impact of a single loss event.
- ARO – Annual Rate of Occurrence, or how often the occurrence happens within a 12 month period. Note: They may provide the actual rate, or they may suggest how frequently the event occurs (e.g. weekly, monthly, quarterly) and you will have to translate.
- ALE – Annual Loss Expectancy. The cumulative loss based on related event occurrences during a calendar year.
SLE * ARO = ALE for instance a $25,000 event that happens only once every four years would yield
$25,000 * .25 = $6250 as the annualized loss.
If the ARO was quarterly, then you would calculate $25,000 * 4 = $100,000.
That cover the Risk Analysis Calculations. Pretty simple, as long as you understand the terminology.
Steve teaches PMP: Project Management Fundamentals and Professional Certification, Windows 10, Windows 7, Windows 8.1 and CompTIA classes in Phoenix, Arizona.