Risk Assessment Methodologies

Risk assessment and analysis is a nebulous process. Unless one has studied
risk and the math that goes along with it, one might not know where to start
when told by regulation that a risk analysis must be performed. SBS recently
posted a great article on how to perform a quantitative risk assessment and a
few different ways to develop an IT Risk Assessment that can help you to
make better decisions. Quantitative risk assessment of your IT environment is
a must for higher security maturity models to be achieved. It is also a must if
your organization wants to take risk management of IT seriously. However,
there are times where you need to measure your risk based on a set of
regulatory controls. The quantitative method is not suitable for this type of risk
calculation. Instead, risk assessors use a more qualitative method.
 

What Does “Qualitative Risk Assessment” Mean?

Qualitative risk assessment is studying an event, or regulatory control in this
case, and understanding the quality of its implementation. In the background
of this type of risk assessment, decisions have already been made about the
impact to the organization if the control is not implemented and the probability
that the control will need to be exercised. As an example, our TRAC Tool
performs qualitative risk assessment in our ISP module to give the user an
idea of how well the institution’s Information Security Program has been
implemented based on a pre-defined standard of security controls.
 

When to Use Qualitative Measurement

Qualitative risk assessment excels at giving the risk assessor and the risk
manager information about how well the control is currently implemented. For
instance, on a scale from 1 to 5, a “1” rating might mean that the control hasn’t
been considered by the organization. A “2” might mean that the control has
been considered but not implemented. A “3” might mean the control has a
process implemented by the organization but is not formalized and
documented. A “4” might mean the control is formalized but not documented.
Finally, a “5” means the control is fully implemented, formalized, and
documented.

Using the qualitative method of risk assessment, you can evaluate your
institution based on a particular standard or piece of guidance. You can break
the standard you’re utilizing down into sections or categories, outline the
controls that the standard recommends you implement, rate your specific
implementation of those controls (on the 1 to 5 scale mentioned above), then
determine the control-implementation percentage for each section. Calculate
the control-implementation percentage by adding up the total of your ratings in
that section, then dividing by the total possible rating-number (in the case of a
1 to 5 scale, 5 being the total number of controls evaluated).
 

Final Thoughts
Ultimately, the risk assessment methodology you use should depend on what
you are trying to measure and what outcomes you’d like to see from that
measurement. A quantitative risk assessment focuses on measurable and
often pre-defined data, whereas a qualitative risk assessment is based more
so on subjectivity and the knowledge of the assessor. A quantitative risk
management methodology is best suited for a detailed look at comparing like-
things across your organization, while a quantitative risk assessment is best
for evaluating the implementation of a framework that does not inherently
have pre-defined values. In many cases, you can combine the two
methodologies to enhance an existing risk assessment. Knowing which
methodology to use in various situations could mean the failure or the success
of your risk management program.