Professional Documents
Culture Documents
Risk assessment and analysis is a nebulous process. Unless one has studied
risk and the math that goes along with it, one might not know where to start
when told by regulation that a risk analysis must be performed. SBS recently
posted a great article on how to perform a quantitative risk assessment and a
few different ways to develop an IT Risk Assessment that can help you to
make better decisions. Quantitative risk assessment of your IT environment is
a must for higher security maturity models to be achieved. It is also a must if
your organization wants to take risk management of IT seriously. However,
there are times where you need to measure your risk based on a set of
regulatory controls. The quantitative method is not suitable for this type of risk
calculation. Instead, risk assessors use a more qualitative method.
Using the qualitative method of risk assessment, you can evaluate your
institution based on a particular standard or piece of guidance. You can break
the standard you’re utilizing down into sections or categories, outline the
controls that the standard recommends you implement, rate your specific
implementation of those controls (on the 1 to 5 scale mentioned above), then
determine the control-implementation percentage for each section. Calculate
the control-implementation percentage by adding up the total of your ratings in
that section, then dividing by the total possible rating-number (in the case of a
1 to 5 scale, 5 being the total number of controls evaluated).
Final Thoughts
Ultimately, the risk assessment methodology you use should depend on what
you are trying to measure and what outcomes you’d like to see from that
measurement. A quantitative risk assessment focuses on measurable and
often pre-defined data, whereas a qualitative risk assessment is based more
so on subjectivity and the knowledge of the assessor. A quantitative risk
management methodology is best suited for a detailed look at comparing like-
things across your organization, while a quantitative risk assessment is best
for evaluating the implementation of a framework that does not inherently
have pre-defined values. In many cases, you can combine the two
methodologies to enhance an existing risk assessment. Knowing which
methodology to use in various situations could mean the failure or the success
of your risk management program.