Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s Risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers.

The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them.

This break will help you remember that this approach is related to numbers. Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment, we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms. 

Let’s understand this through a simple example – 

This information above has been gathered as a part of risk assessment. Clearly, you can observe that every aspect has been assigned a value. The asset value (cost of building) has been derived at 100,000$. The loss has also been quantified.  This is what Quantitative Analysis is all about. 

Numbers are incomplete without some formulas.  So here comes the formula:

Asset Value – What is the value of the asset? You have to include (at the risk assessment) all sorts of cost here to make up the asset value such as cost to develop this asset, cost to maintain it, cost to replace it, money spent on it to make it usable, the value of the asset to owners etc. Here the building value has been identified as 100,000$ which is inclusive of all such costs.

Exposure Factor – What is the exposure if the threat materializes? What percentage of the asset value would be destroyed in case of realization of the threat? Here the building is affected by the fire and that would be destroyed by around 25%. This value is the exposure factor.

Single Loss Expectancy - Actual Loss in case of realization of a threat. Notice the word expectancy here. We are expecting that this would be the loss in case of actual fire.

In our example, if we wish to calculate the SLE, it would be like this –

Hence, SLE = 100,000 *0.25 = 25,000$.

Therefore, the company would suffer a loss of 25,000$ from a fire.

Wait, the movie has not finished yet. Notice the last line in the scenario above. Past experiences have shown the occurrence of a fire once every 5 years.  What does this mean and how does it fit here?

Every business needs to make such assessments over a year. If a fire occurs once every 5 years, this means the damage due to the loss would be over a period of 5 years, that is, 25,000$ spread over a period of 5 years. This implies that the company can choose to spend 5,000$ every year to cover any losses arising out of this situation.

This leads us to another formula.

Annualized Rate of Occurrence – This value represents the estimated frequency with which a specific threat would occur over a period of 1 year. 

Here the ARO would be 1/5 or 0.2.

Hence, the annual loss which the company may face is 25,000$ * 0.2 = 5,000$.

This value would help the company take a decision over the controls it would like to implement and what money would it can spend. 

If all were so simple here, why would information security professionals be needed anyway? The assignment of monetary values to every small detail here is the biggest drawback of Quantitative Risk Analysis approach. There is no standard approach to assign monetary values and there is a lot of groundwork that needs to be done to identify such values with certainty. Automated tools solve this problem up to some extent, however, there is a lot that can be missed or overestimated in this approach.

Let’s call experts from every department and have tea together. Over this tea party, we can ask them certain questions about the risk the company faces and note them down. We can then allot colors to high, medium and low risks. Smiling? 

Qualitative risk analysis tries to identify various scenarios of risk possibilities and then rank them in the order of high medium or low criticalities. This is mainly identified through various discussions and includes various techniques such as brainstorming, storytelling, group discussions etc. The idea here is to gather expert of different departments and brainstorm with them over possible threat scenarios and then ask them to identify countermeasures basis the scenarios identified in the discussion. No monetary numbers are assigned here. Instead, a risk matrix is created which lists the likelihood of various threat scenarios.

While this may sound simple and easy to you, it is not. Gathering of such experts and then discussions with them can take up a great deal of time. Moreover, subjectivity comes in with various assumptions each expert bring with him/her. At the end of the day, the top management wants to deal with a monetary figure which is difficult to derive from this approach.

So what should we do? The answer to this is not so easy. First of all, it depends on the company and the business it is operating in. Secondly, a mix of both the approaches can help the top management arrive at decision faster and with certainty. 

What do you think of both the approaches? What is that you follow in your organization?

Would love to hear your thoughts in the comments section below.