Cybersecurity Risk Assessment – Qualitative vs Quantitative Assessments

Finjan TeamBlog, Cybersecurity

Finjan Cybersecurity Risk Assessment   Qualitative vs Quantitative Assessments

The overall security status of an organization is made up of inputs from the various business units which in turn make up the enterprise – such as Operations, Development, Finance, Audit, and Compliance. One way of establishing the contribution from each department is by assigning it a “risk status” on the basis of cybersecurity risk assessment performed on it over a certain period.

Risk Assessment and Risk Management

To ensure that business processes run smoothly and safely, it’s necessary to identify all the potential factors that might prevent this from happening. These might include internal elements such as inappropriate or inefficient business practices, problems with infrastructure, equipment, software, and other resources, or external elements such as cyber-attacks.

Risk assessment begins with identifying all the possible risks that an organization might face – which may run to an extremely long list. The core purpose of a risk assessment (also known as risk analysis) is to enable planners to determine which of those potential drawbacks are most relevant and to establish the benefits to an enterprise of implementing counter-measures to reduce or eliminate the effects of those risks.

Risk management is employed as a consequence of the risk assessment and involves the setting up of policies and proactive measures to address the findings of the risk analysis. Typically, an organization may choose to manage risks by taking steps to mitigate them (if they’re likely to have an impact on vital operations), accepting them (if their likely effect is minimal), or transferring responsibility for them to a third party (usually in the form of an insurance policy of some kind).

Risk assessment and management decisions hinge on the relative importance attached to identified risks – and this importance may be established in one of two ways: Qualitatively, or quantitatively.

Qualitative Risk Assessment

Qualitative risk assessment is based on subjective qualities assigned to each risk, which indicate their merit or otherwise in relation to each other. Assessing a risk as Low, Medium, or High would be a simple way of doing this.

It’s an approach that centers on the probability that a risk may occur and the impact that it could have on an organization. Categorization of risks typically derives from the source of identified risks and vulnerabilities or the effect that they may have on an enterprise and its stakeholders.

In an information security context, qualitative assessment typically involves a discovery and review of enterprise assets (hardware, software, processes, human and other resources) for known weaknesses against a database of potential vulnerabilities. Each risk is then measured against relative scales to establish the likelihood that a given threat can exploit that vulnerability.

The subjective rating system of a qualitative assessment needs to take into account the strengths, weaknesses, opportunities, and threats facing an organization. It’s a faster and less expensive undertaking than a quantitative assessment, and qualitative assessments are more commonly used by enterprises looking to minimize their budgets or streamline their timetables.

Quantitative Risk Assessment

Quantitative risk assessment brings numbers into the equation, with analysis based on the likelihood that particular threats will manifest, and pre-determined measurement scales used to establish the risks or losses associated with those threats. Measurable and objective data is required to determine the value of each enterprise asset and to work out probabilities and risk values.

The ultimate aim of a quantitative risk assessment is to be able to associate a specific financial amount to each identified risk, which represents the potential loss to an enterprise if that risk actually comes into play. So if an attack or data breach occurs, an organization that’s done a quantitative risk analysis can easily establish the financial impact of the incident on their operations.

But quantitative methods may also extend to other areas of risk assessment, such as establishing the probability that a vulnerability or attack vector may be discovered, or the difficulties associated with executing applications that have become the victims of an attack.

Quantitative assessment is the most thorough method of performing a risk analysis. This also makes it the most expensive and time-consuming method – and therefore not the ideal first choice for cash-strapped or smaller scale enterprises. Organizations requiring legal protection against suits or disclosures, needing to satisfy stringent requirements for regulatory compliance, or having to reconcile budgets with risk analysis findings are most likely to opt for this approach.

Common Methodologies for Risk Assessment

Whether a risk assessment is performed qualitatively or quantitatively, there are certain common techniques and technologies used in examining the threat landscape to determine whether existing threats are still relevant, if new threats have evolved, and how best to counter them. These include:

  • Penetration Testing: Professionally staged and hosted penetration tests are a good way of stressing an organization from top to bottom, and establishing how its systems, personnel, and processes operate under fire. Specific information on vulnerabilities, lax practices, and defective or deficient security policies may also be obtained.
  • User Activity: Monitoring the behavior and activity of users on a corporate system or network over a period of time helps to establish both a baseline of “normal” operations and to highlight activities that may pose a risk to enterprise security.
  • Intrusion Detection Signatures: Based on the recommendations of a risk assessment, an organization may elect to install an Intrusion Detection System (IDS) or Host-based Intrusion Prevention Software (HIPS), to provide early warning or a stopping barrier for identified threats and vulnerabilities. For this purpose, a customized set of vulnerability/threat signatures may be compiled, more in keeping with the specific needs of the enterprise.

Risk Assessment – Mix and Match

In many cases, an approach combining aspects of qualitative and quantitative analysis is used to reap the benefits of both methodologies.

A qualitative assessment is made to identify the key risks facing an organization. From this list, quantitative assessments are made to determine those risks most liable to cause financial or other losses to the enterprise – and the counter-measures best suited to mitigate their effects. Once remediation has been done, a further qualitative assessment may be performed, to determine how effective the remedial efforts have been.

Share this Post

Finjan Cybersecurity Risk Assessment   Qualitative vs Quantitative Assessments
Article Name
Cybersecurity Risk Assessment | Qualitative vs Quantitative Assessments
A qualitative risk assessment identifies the key risks facing an organization. From this list, quantitative assessments are made to prioritize those risks.
Publisher Name
Publisher Logo
Finjan Cybersecurity Risk Assessment   Qualitative vs Quantitative Assessments