Risk Assessment or security risk analysis is key to the security of any business or organization. It’s crucial for making sure that controls are equal to the risks that the organization is exposed to. To figure out which security controls are commensurate and cost effective is often a complicated and subjective process. One of the main functions of security risk analysis is to put the process onto a more objective basis.

There are several specific approaches to risk analysis. Essentially, they break down into two distinct types – qualitative risk analysis and quantitative risk analysis.

Quantitative Risk Analysis

The quantitative approach utilizes two fundamental elements; the probability of an event occurring and the likely loss should it occur. Quantitative risk analysis makes use of a single factor produced from these elements – called the ‘Annual Loss Expectancy (ALE)’ or the ‘Estimated Annual Cost (EAC)’. The calculation for an event is done by multiplying the potential loss by the probability. It’s possible to rank events by order of risk (ALE) and to make decisions based upon the ALE. With quantitative risk analysis, problems are usually associated with data unreliability and inaccuracy. Probability is rarely precise. Also, controls and countermeasures often deal with a myriad of potential events, which are themselves, frequently interrelated. Despite the potential drawbacks of quantitative risk analysis, many businesses/organizations have successfully adopted this type.

Qualitative Risk Analysis

This is without a doubt the most used approach to risk analysis. Probability data is not required and only estimated potential loss is used. Most qualitative risk analysis methods utilize a number of interrelated elements such as:

Vulnerabilities

Vulnerabilities make a system more susceptible to attack by a threat or make an attack more likely to have some success or impact. In a fire for example, vulnerability would be inflammable materials present.

Threats

Threats include the possible things that can go wrong or that can attack the system. Fire or fraud are possible examples. Threats are always present for every system.

Controls

There are four types of countermeasures (controls) for vulnerabilities:

1. Preventative controls – protect vulnerabilities and make an attack unsuccessful or reduce its impact
2. Deterrent controls – reduce the possibility of deliberate attack
3. Corrective controls – reduce the effects of an attack
4. Detective controls – uncover attacks and initiate preventative or corrective controls.

Whether you’re using a qualitative or quantitative security risk assessment approach, it’s important that controls are commensurate to the risk that your business/organization is exposed to.