After speaking with CISOs and security leaders on how they assess risk, it’s clear there is no one size fits all approach. Evaluating risk varies based on organizational goals, corporate missions, and industry-specific requirements. Depending on maturity, security programs may take either a qualitative or quantitative approach to assessing risk. Some organizations prefer to evaluate solely based on qualitative measures, they feel the results effectively guide their mitigation and prioritization techniques. And there are some security programs who believe quantitative assessments provide specific guidance that determines dollar amount impact in terms of risk.
The value of either approach is around how results are leveraged to track progress, make improvements, and address remediation, along with how to extract the appropriate content to educate non-technical audiences (i.e. business executives and board members). Results from both assessments provide results that are easily digestible – typically appearing in straightforward heatmaps or graphs.
Some organizations use a combination of both assessment approaches to determine their risk levels, thereby taking advantage of both benefits. Usually, qualitative assessments are the best starting point, they provide a baseline level of understanding around risk and give high-level results. These require internal staff to provide their opinions, getting them involved in the process and hearing directly from team members. Once the fundamentals of a qualitative risk assessment are accomplished, many security professionals explore the quantitative approach. This approach removes the potential for biased results and gives more tangible, business-aligned results. Below are highlights for each approach along with sample results graphs.
Quantitative risk assessments are a well-defined model that evaluates and measures risk in dollars and probability. It enables organizations to prioritize risk based on economic values and the potential financial impact.
Leverages factual data measured mathematically or computationally
Risk is demonstrated in monetary terms and overall financial loss
Values may include single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE)
Provides precise values easily understood by business leaders
Determines impact of risk and resources required to remediate
Results are consistent regardless of who is performing the assessment (no internal bias)
Qualitative risk analysis is inherently subjective, solely based on the opinions of the person conducting the assessment. Results are typically based on 1-5 scoring or high-medium-low scales. Results are ideal for security teams who want to provide executives with a high-level overview of risk, displayed in a straight-forward color coded heatmap.
Uses rating scales to determine risk based on frequency and impact
Represents the relative severity of relative risks
Based on an individual’s perceived likelihood of risks
Gauges impact on organization’s reputation, finance and other factors
Risks are given numerical values that are easy to work with
Easy to communicate with simple heatmaps
Opinion-based so may include biases of people who contribute
May be limited to internal processes
May be a tendency to inflate risk – if a risk is between yellow and red they may go with red to be sure the risk is covered
In conclusion, both are great approaches and teams are able to mix and match components of each based on what aligns best with their organization. In security, there is never a one size fits all answer to specific challenges, CISOs and their teams continue to have dynamic approaches, by meeting the needs of the business and addressing risk in a comprehensive manner.
Interested in risk assessments? K logix offers white glove security assessment services custom tailored to your specific requirements. Reach out to learn more: firstname.lastname@example.org.