An information security risk assessment is the process of identifying vulnerabilities, threats, and risks associated with organizational assets and the controls that can mitigate these threats. Risk managers and organizational decision makers use risk assessments to determine which risks to mitigate using controls and which to accept or transfer. There are two prevailing methodologies for performing a risk assessment. These are the qualitative and quantitative approaches. A third method termed mixed or hybrid combines elements of the qualitative and quantitative approaches.
Quantitative Information Security Risk Assessment
Quantitative information security risk assessments use mathematical formulas to determine the exposure factor and single loss expectancy or each threat as well as the probability of a threat being realized called the Annualized Rate of Occurrence (ARO). These numbers are used to estimate the amount of money that would be lost to exploited vulnerabilities annually called the Annualized Loss Expectancy (ALE).
With these numbers, the organization can then plan to control this risk if countermeasures are available and cost effective. These numbers allow for a very straightforward analysis of the costs and benefits for each countermeasure and threat to an asset. Countermeasures that reduce the annualized loss expectancy greater than their annualized cost should be implemented if there is sufficient resource slack available to employ the countermeasure.
For example, a quantitative assessment for Company X identifies $1,000,000 in assets. With an exposure factor of 1%, Company X expects to lose $10,000 annually. In other words, the ALE is $10,000. Countermeasures are available that will reduce this expectation to $2,000 per year, and the countermeasures cost $7,000 per year to implement. This assessment makes it easy to see the savings of implementing the countermeasures because the organization would save $1,000. The math is as follows: $10,000 loss reduced to $2,000 is a reduction of $8,000. The countermeasures cost $7,000. $8,000 reduction in loss minus $7,000 for the cost of the countermeasures equals a savings of $1,000.
As you can see, the formulas here are all based on the asset value and exposure factor. Therefore, different quantitative risk assessments could produce very different results if the method of asset valuation differed. One assessment may use purchase cost as the asset value but another may use value to data owners, operational cost, value to competitors, or the liability associated with asset loss. Each of these values would be reasonable to use, but they would produce different results.
In the example above, the decision to implement the countermeasures would be different if the asset valuation turned out to be $850,000 instead of $1,000,000. Here the ALE would be $8,500. Now the loss is still reduced to $2,000 would result in a savings of $6,500, but the countermeasures cost $7,000 so the organization would lose $500 implementing the countermeasures. It is important to recognize how different methods of asset valuation impact the assessment. The methods used in asset valuation should be documented so that decision makers understand how the numbers were obtained.
Qualitative Information Security Risk Assessment
Qualitative information security risk assessments use experience, judgment, and intuition rather than mathematical formulas. A qualitative risk assessment may utilize surveys or questionnaires, interviews, and group sessions to determine the threat level and annualized loss expectancy. This type of risk assessment is very useful when it is too difficult to assign a dollar value to a particular risk. This can easily be the case with highly integrated systems that house numerous assets and are subject to a variety of risks.
Qualitative information security risk assessments are usually well received because they involve many people at different levels of the organization. Those involved with a qualitative risk assessment can feel a sense of ownership of the process. Qualitative risk assessments do not require a great deal of mathematical computation, but the results are usually less precise than those achieved with a quantitative assessment.
Mixed Information Security Risk Assessment
It is possible to use a mixed approach to information security risk assessments. This approach combines some elements of both the quantitative and qualitative assessments. Sometimes quantitative data is used as one input among many to assess the value of assets and loss expectancy. This approach gives the assessment more credibility due to the hard facts presented, but it also involves people within the organization to gain their individual insight. The disadvantage of this approach is that it may take longer to complete. However, a mixed approach can result in better data than what the two methods can yield alone.
Information security risk assessments can use a quantitative or qualitative methodology or a combination of the two to determine asset valuation, threat levels, and the annualized loss expectancy due to vulnerabilities. There are software applications that will make performing quantitative calculations easier for risk assessments, so this approach is quite useful for those new to risk assessment. Quantitative assessments provide clear data that makes decision making easy. However, qualitative assessments utilize the experience and may uncover things missed by a purely mathematical formula. Qualitative assessments also involve more people who can aid in the acceptance of result.