Quantitative Vs Qualitative Cyber Risk Management Approach30 Nov 2020 | Santhosh Kumar and Dr. Grigorios Fragkos
There is always a certain level of inherent risk when operating any organisation. Given the fact that it is not possible to completely eradicate business risk, appropriate risk management efforts need to be in place to reduce your exposure to risk to an acceptable level. With most organisations going through a digital transformation, to unlock competitive advantage in their respective markets, additional risk is inevitably introduced and accumulated across the whole spectrum of operations.
The risks that could compromise the confidentiality, integrity and availability of sensitive information, products and services are categorised as risk(s) related to cybersecurity, or as commonly referred to as cyber risks (such as cyber risks identified through the UAE IA Standards assessment). Organisations could manage these cyber risks through a focused approach in a qualitative or quantitative manner. Let us have a look at what these approaches are, list their benefits and limitations, and see which could be considered the best-suited approach for your organisation.
Currently, most organisations utilise the qualitative approach to manage cyber risks. Cyber risks need to be handled with a concentrated approach to reduce exposure to acceptable levels. In the qualitative approach, rating scales (e.g. Low-High, 1-3, etc.) are utilised to calculate the impact and likelihood to the organisation if the risk is materialised. A product of these two factors is plotted in a graph to depict the severity or rating of the risk in question. The risk rating is represented as a heat map (Figure 1) which makes it easy to follow and understand by stakeholders and senior management for assisting with decision making in the risk response related efforts. The best way to take on qualitative risk analysis is to break it down into smaller steps that involve:
Usually, there is a strong misconception that this is a quantitative approach to risk management given the usage of predefined numbers to evaluate risk scales, impact and likelihood statements. The quantitative approach to risk management is different, and it is discussed in detail later on.
There are some advantages and disadvantages of the qualitative approach to cyber risk management which we’ve outlined below.
This approach best suits organisations that operate in low-risk environments that are less dependent on technology for their core business operations, and have less-mature cybersecurity practice. At the same time, it needs to be clear that the qualitative analysis of the risk environment provides the necessary clarity to prioritise tasks quickly and cost-effectively without having to dive into severe logistical and financial challenges that a quantitative model would otherwise require.
The quantitative approach to cyber risk management involves numerical values for asset valuation as well as the calculation of risk factors (Impact and Likelihood). These values would not be relative scales and would generally be based on asset values and mathematical equations (Figure 2).
The final risk assessment report has currency figures for risk levels, potential loss and cost of mitigation controls. This facilitates effective and unambiguous risk related discussions and decisions. This also improves the accuracy of the risk-ratings as these are based on data points and not on relative scales. In other words, conducting a quantitative risk analysis requires:
Effectively, the quantitative risk analysis should be in a position to quantify the possible outcomes and assess the probability of achieving specific objectives, contribute to the decision making process when there is uncertainty, and last but not least, create realistic and achievable cost/schedule/scope targets.
|Asset Value(AV)||Exposure Factor (EF)||Impact
(SLE = AV*EF)
|Likelihood (ARO)||Risk value
(ALE = SLE*ARO)
|200,000 AED||60%||120,000 AED||20%||24,000 AED|
Asset Value (AV): Monetary value for each asset.
Exposure Factor (EF): Percentage of loss that an organisation would experience if a specific asset were violated by a realised risk.
Single Loss Expectancy (SLE): Cost associated with a single realised risk against a specific asset.
Annualised Rate of Occurrence (ARO): Expected frequency with which a specific threat or risk will occur within a single year.
Annualised Loss Expectancy (ALE): Possible yearly cost of all instances of a specific realised threat against a specific asset.
However, there are advantages and disadvantages with the quantitative approach when it comes to cyber risk management which we’ve outlined below.
This approach best suits organisations that operate in high-risk environments that are more dependent on technology for their core business operations, and have a mature (or at least well-established) cybersecurity practice. The nature of the quantitative risk analysis expects to dive into logistical challenges and financial data points as it uses that data to produce a value to measure the acceptability of a risk event outcome.
It goes without question that there are advantages and disadvantages to both approaches (Table 1). The qualitative approach enables a clear and descriptive narration of cyber risks, while the quantitative approach provides accurate risk values for detailed analysis and further considerations.
Table 1 – Qualitative vs Quantitative (comparative summary)
|Subjective evaluation of probability and impact||Probabilistic and objective estimation of time, cost, scope|
|Focused at risk-level||Focused at task/project-level|
|Broader use across all identified risks||Limited use; Dependent on type of project, risk type, and data availability.|
|Less time-consuming and straightforward||Time-consuming and potential cost associated|
|No investment for specialised S/W is necessary||May require the use of specialised S/W tools|
|Does not require significant amount of data||Requires significant amount of data|
|Does not utilise cost benefit analysis to finalise risk treatments||Utilises cost benefit analysis to finalise risk treatments|
|Requires a certain level of work which is based on the security assessor’s expertise and previous experience in order to arrive at risk ratings.||Requires meticulous work which is based on the security assessor’s expertise and previous experience in order to provide an accurate depiction of risks in terms of value.|
Despite the fact both approaches have their pros and cons, they are not meant to compete with each other as to which is “best”, but rather which one is best suited given the challenge(s) at hand. After all, they are both two very important risk management tools of the larger risk management process, which in many cases complement each other.
Even though there is no clear cut “winner” when it comes to these two approaches, the lack of either of these approaches results in ineffective cyber risk management with potentially devastating results for an organisation.
A combined framework utilising the best attributes of both these approaches would be the ideal candidate for effective and efficient cyber risk management. Organisations can reach out to cyber risk management consultants to establish an effective cyber risk management framework that is both flexible and bespoke to match their particular requirements.
To learn more, visit Digital14.com today.
Connect with us