Formulating an IT security risk assessment methodology is a key part of building a robust and effective information security program. Formal methodologies have been created and accepted as industry best practice when standing up a risk assessment program and should be considered and worked into a risk framework when performing an assessment for the first time. In this post, we’ll discuss the two primary approaches to risk: quantitative and qualitative risk assessment methodologies, along with their usages and how they complement each other to provide a holistic view of risk.
Why the risk assessment process starts with information assets
All risk assessments begin with the same series of questions. Organizations start by establishing an inventory of their information assets. By reviewing information assets, the organization can review which ones pose the greatest information security risks. For example, a database consisting of anonymized metrics may be important to an organization, but without linking it to individual customer identifiers, it poses few information security risks.
How to review information assets for risk
The foundation of any information security risk assessment is determining the impacts and likelihood of a data breach. Whether reviewing qualitatively or quantitatively, companies must look at every identified threat facing their information landscape. Once they have determined the threats, they need to look at the information asset inventory to determine how much impact the breach would have. Simultaneously, the organization must look at the likelihood of that breach occurring.
For example, an anonymized database breach may have very little organizational impact. With no intellectual property or customer data involved, this type of breach poses little financial impact on the company.
Meanwhile, if the database is stored on a shared drive, the likelihood of a breach increases. Thus, while the information itself poses little financial risk, the likelihood of an event places the organization at a higher risk.
What is a quantitative risk assessment?
The first and most straightforward IT security risk assessment methodology is that of quantitative risk assessment and analysis. “Quantitative” means that risk is quantified or measured in terms of definite numbers, figures, and percentages. This methodology answers the questions of “What is the financial impact of this risk?” and “How much data would be lost or compromised if this risk were realized?” among others. While this approach does take into consideration the impact a risk would have on business operations, it does so through a rigid numbers-based lens.
Performing a quantitative risk assessment
To get started with a quantitative risk analysis, an assessment team must first identify key assets to the business. This IT security risk assessment methodology includes factors such as IT equipment, data processing systems, and facilities, along with less-obvious assets like employees, mobile devices, and the data itself which resides on the system. Once all key assets are identified, calculate the value of each in dollars. This may be difficult to do for ambiguous or volatile assets, but it doesn’t have to be a perfect science; estimates are fine. For each risk, determine which asset(s) it would affect and how much of that asset would be lost or compromised as a percentage. Then simply take the loss percentage multiplied by the value of the asset to obtain a dollar amount of loss for that specific risk.
Outputs of a quantitative IT security risk assessment methodology
What does the assessment team end up with when taking a quantitative approach to risk? After assessing each risk scenario, the team should have a report of which assets are exposed to risk, how much of the asset is exposed, and what the financial impact would be if the risk were realized. This allows management to make informed decisions when considering controls and safeguards to protect various assets: If the control costs more than the amount that would be lost in a risk scenario, it doesn’t make financial sense to implement the control, regardless of whether the loss actually happens.
The downside to this numbers-based approach is that it does not consider the impact to business functions or how production would be affected in various risk scenarios. When evaluating how business units, processes, and reputation would be impacted by a risk, a qualitative approach is used instead.
What is a qualitative risk assessment?
Another important IT security risk assessment methodology is to take a qualitative view of risk. Rather than numbers and percentages, the qualitative approach answers the questions of “How will my team be affected by this risk?” and “How would our service levels be impacted by a loss?” This view is much more subjective than its quantitative counterpart in that it seeks the opinions and viewpoints of various business stakeholders when performing an assessment.
Performing a qualitative risk assessment
A qualitative IT security risk assessment methodology is arguably much easier to perform than a quantitative analysis but is also less precise. This method usually involves calling a committee of delegates from various parts of the business to discuss how their teams would be affected by different risks. Rather than asking “How much money would you lose in this situation?” a qualitative approach asks “How would the productivity of your team be affected in this situation?” For example, when assessing the risk posed to a server cluster, the assessor can ask “How would your team’s productivity be affected if they couldn’t access their web application?” Without a backup procedure in place, the answer would probably be that the team couldn’t produce anything, thus allowing the assessor to determine that the system is subjectively critical to business function.
Outputs of a qualitative IT security risk assessment methodology
The deliverable from a qualitative assessment should be a report of which assets and systems are most important to various parts of the business. The assessment committee won’t necessarily know the financial impact if these systems were compromised, but they will understand which business units would be affected and how much productivity would be lost in different risk scenarios. Additionally, the assessor would understand the impact to the company’s reputation and any PR considerations if a risk were realized and became publicly known.
Why both approaches are necessary
When developing the IT security risk assessment methodology for your organization, it’s important to realize that both quantitative and qualitative analyses are needed for a well-rounded view of the risk management process. Risk management processes require not only understanding impact but creating a risk management framework that sets the acceptable level of risk to enable functioning business operations.
Creating valuable risk management processes means determining the risks that your company is will to accept, transfer, mitigate, and avoid. Sometimes, a security control is not cost effective. Thus, an organization will choose to avoid the risk completely. For example, a small retailer may choose to mitigate in-store purchase risks but avoid online sales since the risk mitigation of PCI DSS compliance is not cost-effective for a new business.
In other cases, a company may choose to transfer risk to a third-party vendor. As the small retailer grows, they may choose to use Amazon services to sell goods online. Thus, they transfer the PCI DSS risk to that vendor.
Residual risk, the possibility of a failed security control used to mitigate or transfer risk, is inherent in risk mitigation. A hacker may breach a third-party, even Amazon. Thus, although the company tried to transfer the risk, a residual risk occurs. To protect against this residual risk, the online retailer needs to continuously monitor the vendor’s security stance.
While the business does need a black-and-white view on financial impacts and quantities of data lost, it also needs to understand the subjective effects of risk and how they may hinder production or tarnish the company’s reputation. Managers risk undermining business objectives when they ignore the subjective effects of security requirements. Security leaders may find their time best spent by holding meetings for the qualitative portion of the assessment at the same time that analysts are calculating asset values and determining financial impact for the quantitative view.
Once both portions of the assessment have been completed, present the findings to relevant stakeholders to discuss both the objective and subjective impacts of risk. After reviewing the reports, senior management and board members will gain greater insight into the risk landscape of the company, allowing them to make informed decisions for budgeting and resource allocation to address them.
In summary, an effective IT security risk assessment methodology will incorporate both quantitative and qualitative approaches to paint an accurate picture of risk. When building your risk assessment program, consider leveraging both of these methods to protect your most critical assets.
