The 2 Types of Risk Assessment Methodology

Every company handles sensitive information — customer data, proprietary information, information assets, and employees’ personal information — all of these records come with risk attached to them.

How can your organization understand exactly how much risk you face when it comes to the information you’re storing and your cybersecurity controls? How can you prepare for that risk before a breach happens?

Cybersecurity risk assessments are a vital part of any company’s information security management program — they help you understand which security risks your critical assets face, how you should protect those assets, and how much you should budget to protect them.

What is risk assessment?

Risk assessment is, broadly, the process of identifying and analyzing potential future events that may negatively impact your organization, how likely each sort of risk is, and how much of an impact a risk might have on your business. A risk assessment can also help you decide how much of each type of risk your organization is able to tolerate.

Organizations conduct risk assessments in many areas of their businesses — from security to finance. Cybersecurity risk assessments deal exclusively with digital assets and data.

There are two main types of risk assessment methodologies: quantitative and qualitative.

What is a quantitative risk assessment?

Quantitative risk assessments focus on the numbers — to perform a quantitative risk assessment a team uses measurable data points to assess risk and quantify it.

To perform a quantitative risk assessment, your organization will start by compiling two lists: a list of possible risks and a list of your most important digital assets. The second list might include items such as valuable information, your IT infrastructure and other key assets. Once you’ve made your list of assets, you’ll assign a dollar value to each item — this can be tricky for line items such as customer data or other valuable information for which there is no set financial value.

Then look at your list of risks. Which asset would be affected by the risk at the top of your list? How much would be lost? Multiply the percentage of the loss by the dollar value of the asset to get a financial amount for that risk. Then move on to the next risk on your list.

You can see why quantitative risk assessments might be attractive to boards and business leaders — this sort of assessment is used to answer questions that need to be answered in numbers — like “how many records will be exposed if we experience a breach?” or “how will this risk impact our bottom line?” It allows boards to compare the costs of security controls to the data those controls protect.

It doesn’t however, answer all of the questions related to risk — like what happens to productivity if there’s a cyber attack? That’s where qualitative risk assessment comes in.

What is a qualitative risk assessment?

A qualitative risk assessment is less about numbers and more about what would actually happen, day-to-day if one of the risks on your list were to occur.

While a quantitative risk assessment is straightforward and numbers-based, a qualitative security risk assessment methodology is performed by talking to members of different departments or units and asking them questions about how their operations would be impacted by an attack or a breach. Specifically, you might ask how a team’s productivity would be affected if they couldn’t access specific platforms, applications, or data. These interviews will show an assessor which systems and platforms are mission-critical for specific teams, and which aren’t. You might also ask customer-facing teams how a breach will affect service delivery or those who manage vendors about how an attack will interfere with supply lines.

Qualitative risk assessments aren’t as precise as quantitative assessments are, but they provide an important piece of information — an attack is about more than its financial ramifications. It can also throw business operations into chaos. If you know ahead of time how risk might impact each team’s productivity, you can have back-ups in place to mitigate those risks.

Why you need both, and how SecurityScorecard can help

When you’re developing your company’s information security management program, it’s important to understand that you’ll need to incorporate methodologies when you’re assessing risk. Your leadership must be prepared for the financial effects of a breach as well as the impact an attack could have on business operations. By identifying risk and knowing how it will impact your business, you’ll be better prepared to mitigate the impact of a risk should it occur.

SecurityScorecard can help you see your risks by monitoring the cyberhealth of your enterprise across 10 groups of risk factors with our easy-to-understand security ratings. By continuously monitoring your enterprise’s security, you’ll be able to take action and protect your data and that of your customers and partners.