May 22, 2013

2.1.5 Qualitative vs. Quantitative Risks

Qualitative Vs. Quantitative Risks

Risk is the potential that a specific action (or lack of action) will lead to a loss, where “loss” is an undesirable outcome.

In information security risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization".1

In the book, Security Risk Management Body of Knowledge, Julian Talbot posits that, “A security risk is any event that could result in the compromise of organizational assets, the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities constitutes a compromise of the asset, and includes the risk of harm to people.”

Risk = Threat × Vulnerability

Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level.

Risk analysis identifies risks, estimates the effect of potential threats, and identifies ways to reduce the risk without the cost of the prevention outweighing the risk.2

Risk is present in any system; however risk management should be commensurate with the risk. The two general approaches for risk assessment are quantitative and qualitative risk assessment.

Qualitative Risk Assessment

In the qualitative risk assessment, the probability of a risk and the impact the risk can have on the system is identified and assigned values. Qualitative risk assessment assigns ranges and probabilities as it is difficult to place an exact value on many types of risks. The goal of qualitative risk assessment is to get a general basic idea as opposed to standard results. Qualitative risk assessment uses both tangible and intangible factors in determining risks.

Intangible factors include harm to the company brand.

Users increasingly are demanding data driven results. Perhaps I should say, where the penalties of risk are significant, particularly where safety, lawsuits or reputation is at stake, organizations are increasingly demanding data driven results.

Qualitative risks generally depend on the perspective of the person who is making the evaluation as such they are more difficult to measure. Risk is assigned through a variety of quasi-quantitative methods such as surveys, probabilities and focus groups. Since the values are subjectively assigned, the result is a qualitative measure.

Quantitative Risk Assessment

Quantitative risk assessment measures risk, taking into account the probability of an incident occurring and the likely loss or cost of that event, using exact monetary values, as much as possible .

The resulting value is called the Annual Loss Expectancy (ALE)

Qualitative risks are opinion-based and subjective. Quantitative risks are cost-based and objective.

Plans need to be made in order to test and to audit existing procedures with quantitative means as much as possible.  In this scenario it is necessary to be able to think like a hacker.  Imagine the structure of your network and try to find out the locations where a hacker might enter.
  1. What are the most common entrance points with current hacking innovation?  Check out hacker blogs and gatherings.  Determine which locations are vulnerable based on your research.  Consider additional tools available on the market to help with these vulnerabilities.  For example add additional switches, hubs and routers to help with data control and management.
  2. Create an audit form and audit your network periodically, e.g. twice a year.  Monitor current parameters on firewalls including your password policy. Do you require strong passwords, particular on critical or highly connected subsystem? It is good practice to keep your users informed and educated. Educated users are more likely to buy into your security policies.
  3. Present the adverse effects of successful attacks and the benefits of good risk management to your users. The benefits could be cost savings, availability, and community appeal. Find out what will motivate the users and use that to drive home the point. What happens if an IT security control fails? What happens if the company exposes customer financial data to hackers or the company is hit with a crippling malware attack. Deploy common sense remediation methodologies. Do all this in an effort to get user buy in.


  1. ISO/IEC 27005:2008
  2. CompTIA® Security+™ SY0-301 Exam Cram, Third Edition
  3. Talbot, Julian, and Miles Jakeman. Security Risk Management Body of Knowledge. Hoboken: John Wiley & Sons, 2009. Print.

No comments:

Post a Comment