Posted on Apr 3, 2018
Formulating an IT security risk assessment methodology is a key part of building a robust and effective information security program. Formal methodologies have been created and accepted as industry best practice when standing up a risk assessment program, and should be considered and worked into a risk framework when performing an assessment for the first time. In this post we’ll discuss the two primary approaches to risk: quantitative and qualitative risk assessment methodologies, along with their usages and how they complement each other to provide a holistic view of risk.
The first and most straightforward IT security risk assessment methodology is that of quantitative risk assessment and analysis. “Quantitative” means that risk is quantified or measured in terms of definite numbers, figures, and percentages. This methodology answers the questions of “What is the financial impact of this risk?” and “How much data would be lost or compromised if this risk were realized?” among others. While this approach does take into consideration the impact a risk would have on business operations, it does so through a rigid numbers-based lens.
To get started with a quantitative risk analysis, an assessment team must first identify key assets to the business . This IT security risk assessment methodology includes factors such as IT equipment, data processing systems, and facilities, along with less-obvious assets like employees, mobile devices, and the data itself which resides on the system. Once all key assets are identified, calculate the value of each in dollars. This may be difficult to do for ambiguous or volatile assets, but it doesn’t have to be a perfect science; estimates are fine. For each risk, determine which asset(s) it would affect and how much of that asset would be lost or compromised as a percentage. Then simply take the loss percentage multiplied by the value of the asset to obtain a dollar amount of loss for that specific risk.
What does the assessment team end up with when taking a quantitative approach to risk? After assessing each risk scenario, the team should have a report of which assets are exposed to risk, how much of the asset is exposed, and what the financial impact would be if the risk were realized. This allows management to make informed decisions when considering controls and safeguards to protect various assets: If the control costs more than the amount that would be lost in a risk scenario, it doesn’t make financial sense to implement the control, regardless of whether the loss actually happens.
The downside to this numbers-based approach is that it does not consider the impact to business functions or how production would be affected in various risk scenarios. When evaluating how business units, processes, and reputation would be impacted by a risk, a qualitative approach is used instead.
Another important IT security risk assessment methodology is to take a qualitative view on risk. Rather than numbers and percentages, the qualitative approach answers the questions of “How will my team be affected by this risk?” and “How would our service levels be impacted by a loss?” This view is much more subjective than its quantitative counterpart in that it seeks the opinions and viewpoints of various business stakeholders when performing an assessment.
A qualitative IT security risk assessment methodology is arguably much easier to perform than a quantitative analysis, but is also less precise. This method usually involves calling a committee of delegates from various parts of the business to discuss how their teams would be affected by different risks. Rather than asking “How much money would you lose in this situation?” a qualitative approach asks “How would the productivity of your team be affected in this situation?” For example, when assessing the risk posed to a server cluster, the assessor can ask “How would your team’s productivity be affected if they couldn’t access their web application?” Without a backup procedure in place, the answer would probably be that the team couldn’t produce anything, thus allowing the assessor to determine that the system is subjectively critical to business function.
The deliverable from a qualitative assessment should be a report of which assets and systems are most important to various parts of the business. The assessment committee won’t necessarily know the financial impact if these systems were compromised, but they will understand which business units would be affected and how much productivity would be lost in different risk scenarios. Additionally, the assessor would understand impact to the company’s reputation and any PR considerations if a risk were realized and became publicly known.
When developing the IT security risk assessment methodology for your organization, it’s important to realize that both quantitative and qualitative analyses are needed for a well-rounded view on risk. While the business does need a black-and-white view on financial impacts and quantities of data lost, it also needs to understand the subjective effects of risk and how they may hinder production or tarnish the company’s reputation. Security leaders may find their time best spent by holding meetings for the qualitative portion of the assessment at the same time that analysts are calculating asset values and determining financial impact for the quantitative view.
Once both portions of the assessment have been completed, present the findings to relevant stakeholders to discuss both the objective and subjective impacts of risk. After reviewing the reports, senior management and board members will gain greater insight into the risk landscape of the company, allowing them to make informed decisions for budgeting and resource allocation to address them.
In summary, an effective IT security risk assessment methodology will incorporate both quantitative and qualitative approaches to paint an accurate picture of risk. When building your risk assessment program, consider leveraging both of these methods to protect your most critical assets.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.