Risk Assessment or security risk analysis is key to the security of any business or organization. It’s crucial for making sure that controls are equal to the risks that the organization is exposed to. To figure out which security controls are commensurate and cost effective is often a complicated and subjective process. One of the main functions of security risk analysis is to put the process onto a more objective basis.
There are several specific approaches to risk analysis. Essentially, they break down into two distinct types – qualitative risk analysis and quantitative risk analysis.
Quantitative Risk Analysis
The quantitative approach utilizes two fundamental elements; the probability of an event occurring and the likely loss should it occur. Quantitative risk analysis makes use of a single factor produced from these elements – called the ‘Annual Loss Expectancy (ALE)’ or the ‘Estimated Annual Cost (EAC)’. The calculation for an event is done by multiplying the potential loss by the probability. It’s possible to rank events by order of risk (ALE) and to make decisions based upon the ALE. With quantitative risk analysis, problems are usually associated with data unreliability and inaccuracy. Probability is rarely precise. Also, controls and countermeasures often deal with a myriad of potential events, which are themselves, frequently interrelated. Despite the potential drawbacks of quantitative risk analysis, many businesses/organizations have successfully adopted this type.
Qualitative Risk Analysis
Vulnerabilities make a system more susceptible to attack by a threat or make an attack more likely to have some success or impact. In a fire for example, vulnerability would be inflammable materials present.
Threats include the possible things that can go wrong or that can attack the system. Fire or fraud are possible examples. Threats are always present for every system.
There are four types of countermeasures (controls) for vulnerabilities:
- Preventative controls – protect vulnerabilities and make an attack unsuccessful or reduce its impact
- Deterrent controls – reduce the possibility of deliberate attack
- Corrective controls – reduce the effects of an attack
- Detective controls – uncover attacks and initiate preventative or corrective controls.
Whether you’re using a qualitative or quantitative security risk assessment approach, it’s important that controls are commensurate to the risk that your business/organization is exposed to.