Risk Management: QUALITY VS QUANTITY
Just when everyone thought that it was safe to predict a decline in cyber crimes, there came along a series of attacks that forced the predictors to revise their estimates. Even before the end of first quarter, three major attacks made the headlines.
The London based Harris Foundation that manages over 50 primary and secondary academies was also hit by a vicious ransomware attack. As a result, over 37,000 students of the academies were denied access to coursework and correspondence data.
Another hacker had a potentially devastating plan to poison the water supply of Florida. The criminal breached the computer system and tried to increase sodium hydroxide to a dangerously high level which could threaten the lives of countless people.
These incidents establish the fact, beyond a shade of doubt, that running an organisation is always fraught with risks. It is not possible to completely eliminate risks but some efforts can and should be dedicated to put in place a defensive mechanism that effectively wards off such threats.
The security status of an organisation is gauged from inputs of various units like Finance, Operations, Audit, Compliance, R&D etc. A safe and secure network system for an organisation can only be done through efficient Risk Assessment [also known as Risk Analysis and Risk Management—a process that provides information about threats, vulnerabilities and cyber risks in a digital system.
RISK ASSESSMENT
Risk Assessment is all about identifying potential threats or cyber risks to an organizational network system. The primary aim is to allow planners to determine which of those risks are relevant and important to deal with at that moment. Generally, the planners weigh the viability of deploying counter measures to reduce or eliminate those risks. Risk Assessment is very essential—it is akin to self awareness. An organisation which has its eyes on threats looming around, it will most likely
thwart them.
RISK MANAGEMENT
Once the risks and their levels of relevance and importance are identified, the process of Risk Management follows. This activity consists of initiating policies and counter measures in response to the process of Risk Analysis.
There are three possible ways an organisation can handle threats and risks. First, if the risk is of alarming nature, capable of affecting vital operations, then appropriate steps are taken to mitigate them. Second, if the threat is minimal, the organisation may choose to ignore the threat. However, the planners will advise their staff to be watchful just in case the threat assumes an ominous posture. Lastly, the organisation may choose to transfer the responsibility of dealing with the threat to any third party like an insurance organisation.
The above process of Risk Assessment [or Risk Analysis] and Risk Management depends on relevance and importance of the identified risks. This brings us to the two types of risk analyses that IT professionals employ to determine the level of relevance and importance of the risks:
QUALITATIVE RISK ASSESSMENT
Qualitative risk is a subjective method of assigning rating scales to assess the impact and likelihood of an attack if the threat becomes real. Assessing a risk on a scale of 1 to 3 or as Low, Medium, High is a common practice of this approach. A graph is a helpful depiction of risk rating. Managers and decision makers use this as a basis for planning the risk response efforts.
To make the process even simpler, the exercise is broken down into shorter steps that involve identifying risks, impact analysis, risk management and review. The qualitative approach is not a perfect model of
risk assessment. There are advantages and disadvantages.
Benefits
This approach best suits organizations that operate in low-risk environments. Organisations that do not heavily rely on technology for their core business operations. Their cyber security practices too are not well defined or fully developed.
The qualitative approach is simple and clear to follow. It does not ask for great efforts to perform risk analyses and manage risks thereafter. Because of this, decision makers are in a better position to define their goals quickly and cost-effectively without the need to take up arduous logistical and financial demands that a quantitative approach would entail.
QUANTITATIVE RISK ASSESSMENT
The quantitative approach to cyber risk assessment involves quantifiable values and objective figures to assess the value of assets and to calculate the probabilities of risks. In essence, quantitative assessment brings numbers into play and the final value depicting the risk is in some currency units. This remove ambiguity and managers arrive at a specific decision with greater ease. The approach also improves accuracy of risk ratings because the data is represented in quantifiable values and not in abstract terms. Therefore, conducting a quantitative risk analysis requires precise data, a clear project model and an ordered list of risk factors.
The primary goal of a quantitative risk assessment is to assign a specific financial value to the identified risks. This value actually represents the financial loss that the organisation may suffer if the risk So, in the event of a breach, the decision makers who had already performed the quantitative risk assessment, are prepared to establish the financial impact on the organisation.
The quantitative risk analysis quantifies the possible outcomes and assesses the probability of achieving specific objectives, contributes to the decision making process when there is uncertainty and creates realistic and achievable targets. Quantitative Risk Assessment is an accurate and thorough method which aids in preparedness and decision making, although it is an expensive and time-consuming method. That’s why it is not the first choice for a large number of organisations which operate on a smaller scale and do not have well organised cyber security practices.
However, organisations which operate on a different level, opt for this analysis because the risks involved are high and the damage a breach can incur is too great to bear. That’s why organisations with long-term goals and play-safe policies prefer to allocate a regular budget to put in place some counter measures that can meet any unexpected situation.
DISTINCTION OF QUALITATIVE VS QUANTITATIVE APPROACH
Both the methods have advantages and disadvantages.
The qualitative approach enables a clear and descriptive narration of cyber risks, while the quantitative approach provides accurate risk values for detailed analysis.
While both the approaches provide a cost-benefit analysis, the qualitative process focuses more on identifying the risk and assigning a relative value of High, low, or medium. In contrast, the quantitative analysis examines the risk factors in depth and assigns a specific risk value (expected financial loss) and also the exposure factor (eg. 70%). These values help the decision makers to take informed decisions on certain critical risks.
Since the quantitative approach is data-based, a significant amount of accurate, up-to-date data is needed whereas the qualitative analysis could be performed with the available data on the assets. Both of the methods provide a certain level of accessibility and efficiency for risk analysis and sometimes they are used in combination to reap the benefits of both
the approaches.
COMMON METHODOLOGIES FOR RISK ASSESSMENT
Certain common techniques and technologies are in vogue when it is time to perform qualitative or quantitative risk assessment. Especially, when the task is to determine whether existing threats are still relevant, if new threats have evolved, and how best to counter t