Lab: Risk Identification and Risk Analysis (Qualitative and Quantitative)

This lab focuses on identifying assets and risks in a given scenario, and analysing them using both qualitative and quantitative methods.

You are not required to perform full threat modelling - that will be covered next week.

You can use this TEMPLATE

Learning Objectives

By completing this lab, you will be able to:

Identify key information assets and their associated risks
Recognise realistic threat scenarios and define clear risk statements
Perform qualitative and quantitative risk analysis using structured scales
Prioritise risks and recommend treatment strategies

Task 1: Online Bookstore Risk Analysis

Scenario

Acme Books is a small independent online bookstore where customers:

Browse book catalogues
Place online orders
Pay securely via credit/debit card
Receive confirmation emails

As an example, explore https://www.waterstones.com .

Step 1: Identify Assets

Think about what the business relies on most. Consider data (e.g., customer details), services (e.g., payment gateway), and infrastructure (e.g., the website itself).

Identify at least three assets critical to Acme Books’ operations.

Asset	Type (Data/Service/Infra)	Business Role

Step 2: Define Risk Statements

Now that you have listed your assets, think carefully about what could realistically go wrong with each one. Consider:

Failures (e.g., server crash, data corruption)

Attacks (e.g., SQL injection, stolen credentials)

Outages (e.g., payment service unavailable, email not delivered)

For each identified asset, describe a potential risk using this structure:
An adverse event affecting [asset] could lead to [impact], occurring with [likelihood].

Write at least two complete risk statements.

Event / Condition	Target Asset	Risk Statement
Payment system outage	Payment service	An outage of the payment system could stop all transactions, leading to lost revenue during peak sales.

Step 3: Qualitative Risk Analysis

Note: Impact score is refered to as \( V_{\text{Qual}} \) or \( I_{\text{Qual}} \)

Now evaluate your identified risks subjectively, using the scales below.

Likelihood: How often the risk might occur (Rare → Certain).

Impact: How severe the consequences would be (Insignificant → Disastrous).

Assign each risk a \( P_{\text{Qual}} \) (likelihood score) and \( V_{\text{Qual}} \) (impact score), then combine them into a qualitative risk level (Low, Medium, High, or Extreme).

Likelihood Scale

Score	Likelihood	Interpretation
5	Certain	Motivated threat actors can easily execute the threat scenario. Incident likely within a week.
4	Likely	Threat actors are likely to succeed. Incident may occur within a few months.
3	Possible	Feasible under some conditions. Incident may occur every couple of years.
2	Unlikely	Low opportunity for success. Incident might occur once in decades.
1	Rare	No practical opportunity. Incident is highly improbable.

Impact Scale

Score	Impact Level	Interpretation
5	Disastrous	Severe harm to assets, services paralysed, major financial loss, possible bankruptcy. Long-term recovery needed.
4	Major	Major harm, serious service interruption, and high financial loss. Considerable recovery resources required.
3	Significant	Noticeable asset damage, service interruption, and financial loss. Recovery needs structured effort.
2	Minor	Limited damage with little to no service impact. Small financial loss; manageable with moderate resources.
1	Insignificant	Negligible harm, no service interruption, handled within routine operations.

Risk Matrix Table

Use the two scales above to complete the table. Add a justification for each score you assign.

Risk Description	\( P_{\text{Qual}} \)	\( V_{\text{Qual}} \)	\( R_{\text{Qual}} \) (Score)	Risk Level (L/M/H/E)	Justification
Payment system outage	3	4	7	High	Outage could occur every few years but would cause major financial loss during peak sales.

Step 4: Quantitative Risk Analysis

Convert your qualitative scores into numbers using the same method shown in lecture.
This gives an estimate of the expected annual loss in monetary terms, allowing risks to be compared more precisely.

Formulas

\( P_{\text{Quant}} \) (likelihood as frequency)
\[ P_{\text{Quant}} = N \cdot 10^{(P_{\text{Qual}} - 5)} \]
where \( N = 50 \) (baseline = 50 events/year at “Certain”)
\( V_{\text{Quant}} \) (impact as financial value)
\[ V_{\text{Quant}} = M \cdot 10^{(V_{\text{Qual}} - 5)} \]
where \( M = £10{,}000{,}000 \) (maximum impact for “Disastrous”)
\( R_{\text{Quant}} \) (quantitative risk value)
\[ R_{\text{Quant}} = P_{\text{Quant}} \times V_{\text{Quant}} \]

Risk Calculation Table

Take your qualitative scores (\( P_{\text{Qual}} \), \( V_{\text{Qual}} \)) from Step 3 and apply the formulas to fill in the table.

Risk Description	\( P_{\text{Qual}} \)	\( V_{\text{Qual}} \)	\( P_{\text{Quant}} \) (Events/year)	\( V_{\text{Quant}} \) (£)	\( R_{\text{Quant}} \) (£)
Payment system outage	3	4	0.5	£1,000,000	£500,000

In this example, a “Possible” outage (\( P_{\text{Qual}} = 3 \)) translates to about once every two years (0.5 events/year), and a “Major” impact (\( V_{\text{Qual}} = 4 \)) is valued at £1,000,000. The expected annual loss is therefore £500,000.

Step 5: Reflection

After completing both qualitative and quantitative analyses, reflect on your results. Answer the following in your report:

Highest risk (qualitative): Which risk had the highest score in the qualitative matrix? Why did you assign it this score?
Highest risk (quantitative): Which risk produced the highest monetary value (\( R_{\text{Quant}} \))? What does this number represent in practical terms for the business?
Comparison: Do the qualitative and quantitative rankings highlight the same risk, or are they different? Explain why this might be the case.
Strengths and weaknesses: Which method (qualitative or quantitative) do you think is more useful for this scenario, and why? Consider aspects such as clarity, precision, and decision-making.
Practical insight: If you were advising the company, which risk would you recommend addressing first, and what kind of treatment (reduce, transfer, retain, avoid) might be appropriate?

Notes

Use realistic examples when naming assets (e.g., “Customer Database” instead of just “Database”).
Be concise in your justifications — a few sentences are enough.
Focus on identification and evaluation — full modelling and mitigation are covered in the next lab.

Task 2: DVWA Risk Analysis

In this task you will analyse the Damn Vulnerable Web Application (DVWA).

DVWA Lab Environment Setup

DVWA can be run easily using Docker, which is lightweight and avoids compatibility issues.

Also, in your own time, you are encouraged to explore and test common web vulnerabilities using DVWA to deepen your understanding.

1. Install Docker

You must install Docker before running DVWA. Choose your operating system below.

Windows

Download and install Docker Desktop from:
https://www.docker.com/products/docker-desktop
During installation, ensure WSL 2 is enabled if prompted.
After installation, open PowerShell or Command Prompt and verify Docker is installed:
```
docker --version
```
If you see the Docker version number, you’re ready to proceed.

Linux (Ubuntu/Debian)

If you are using a **Linux virtual machine ** inside VirtualBox, you must ensure your VM has Internet connectivity so that Docker can download the DVWA image.

You can downlaod a Linux VM from here, or review Week-1 lab on how to install from here

Check or Configure Network Settings

In VirtualBox, select your VM → Settings → Network.
Under Adapter 1, choose one of the following:
- NAT (Default): simplest option; provides Internet through your host system.
- NAT Network: allows communication between multiple VMs and access to the Internet.
  If you use a NAT Network, make sure DHCP is enabled:
- Go to File → Tools → Network Manager → NAT Networks → Edit → tick Enable DHCP.
More info can be found in Week-1 Lab, see here.
Click OK and start the VM.
If you are using a standard Kali Linux image, the default username and password are both: kali.

Open Terminal and run the following commands:

sudo apt update
sudo apt install docker.io -y
sudo systemctl enable docker
sudo systemctl start docker

Verify installation:
```
docker --version
```
If successful, Docker is ready.

macOS

Download and install Docker Desktop from:
https://www.docker.com/products/docker-desktop
Open Terminal and verify:
```
docker --version
```

2. Run DVWA using Docker (All Platforms)

Once Docker is installed, you can run DVWA the same way on any system.

Step 1 – Download the DVWA Image

sudo docker pull vulnerables/web-dvwa

This downloads the official DVWA image from Docker Hub.

Step 2 – Run the DVWA Container

sudo docker run -d -p 8080:80 --name dvwa vulnerables/web-dvwa

Explanation of options:

-d → run in background
-p 8080:80 → map port 8080 on your host to DVWA’s port 80
--name dvwa → assigns a name for easier management

Step 3 – Access DVWA

Once the container starts, open your web browser and go to:

http://localhost:8080

Login credentials:

Username: admin
Password: password

You should now see the Damn Vulnerable Web Application (DVWA) login page.

Note:
The first time you log in to DVWA, you may see a message asking you to set up or reset the database.
This is normal — simply click the "Create / Reset Database" button and wait a few seconds.
Once the setup completes, you’ll be redirected to the DVWA login page again.
Log in with the same credentials (admin / password) to start using the application.

Manage the Container (`If needed`)

Stop DVWA:

docker stop dvwa

Restart DVWA:

docker start dvwa

Remove DVWA:

docker rm -f dvwa

List running containers:

docker ps

Troubleshooting (`If needed`)

Stop DVWA:

1. Docker command not found

sudo systemctl start docker
sudo systemctl enable docker

2. Port 8080 already in use Run DVWA on another port:

docker run -d -p 9090:80 --name dvwa vulnerables/web-dvwa

Then access it at:
http://localhost:9090

3. WSL 2 not enabled on Windows Enable WSL 2 by following Docker’s official guide:
https://docs.docker.com/desktop/install/windows-install/

4. DVWA page not loading

Check if the container is running:
```
docker ps
```
Restart Docker Desktop or your machine if needed.
Ensure antivirus/firewall is not blocking port 8080.

You’re ready!
DVWA should now be running locally — you can begin your vulnerability testing and risk assessment exercises.

Now Back to Risk Analysis

Step 1: Identify Assets

Explore the DVWA environment and identify at least three assets.

Perhaps you can do some research about DVWA.

Asset	Type (Data/Service/Infra)	Business Role

Step 2: Define Risk Statements

Think about what could go wrong in DVWA. Consider:

Attacks (SQL injection, brute force).
Failures (database crash).
Misconfigurations (weak login).

Write at least two risk statements using the template:
An adverse event affecting [asset] could lead to [impact], occurring with [likelihood].

Event / Condition	Target Asset	Risk Statement

Step 3: Qualitative Risk Analysis

Use the likelihood and impact scales from the lecture to score each risk.

Risk Description	\( P_{\text{Qual}} \)	\( V_{\text{Qual}} \)	\( R_{\text{Qual}} \) (Score)	Risk Level (L/M/H/E)	Justification

Step 4: Quantitative Risk Analysis

Convert your qualitative scores into numbers using the modified constants below:

\( P_{\text{Quant}} = N \cdot 10^{(P_{\text{Qual}} - 5)} \), where N = 20 (baseline = 20 events/year at “Certain”).
\( V_{\text{Quant}} = M \cdot 10^{(V_{\text{Qual}} - 5)} \), where M = £5{,}000{,}000 (maximum impact for “Disastrous”).
\( R_{\text{Quant}} = P_{\text{Quant}} \times V_{\text{Quant}} \)

Risk Description	\( P_{\text{Qual}} \)	\( V_{\text{Qual}} \)	\( P_{\text{Quant}} \) (Events/year)	\( V_{\text{Quant}} \) (£)	\( R_{\text{Quant}} \) (£)

Step 5: Reflection

Compare your DVWA results with Task 1 (Online Bookstore). Answer the following:

Which DVWA risk had the highest qualitative rating? Why?
Which DVWA risk produced the highest quantitative value (\( R_{\text{Quant}} \))? What does that mean in financial terms?
Did both methods highlight the same risk or different ones? Why might this be?
Was it easier to identify assets and risks in the abstract scenario (Task 1) or in the real DVWA system (Task 2)?
If you were advising DVWA’s owner, which risk would you address first, and what treatment (reduce, transfer, retain, avoid) would you suggest?

Best,
Ali.

Keyboard shortcuts

Cyber Risk Management Lab Book-UoR