Search in ISMS Guides


Saturday, July 28, 2007

Quantitative Risk Analysis

The difference between quantitative and qualitative RA is fairly simple: Quantitative RA
attempts to assign independently objective numeric values (hard dollars, for example)
to the components of the risk assessment and to the assessment of potential losses.
Qualitative RA addresses more intangible values of a data loss, and focuses on the
other issues, rather than the pure hard costs.
When all elements (asset value, impact, threat frequency, safeguard effectiveness,
safeguard costs, uncertainty, and probability) are measured, rated, and assigned
values, the process is considered to be fully quantitative. However, fully quantitative risk
analysis is not possible because qualitative measures must be applied. Thus, the
reader should be aware that just because the figures look hard on paper does not mean
it is possible to foretell the future with any certainty.
A quantitative risk analysis process is a major project, and as such it requires a project
or program manager to manage the main elements of the analysis. A major part of the
initial planning for the quantitative RA is the estimation of the time required to perform
the analysis. In addition, a detailed process plan must also be created, and roles must
be assigned to the RA team.
Preliminary Security Examination (PSE). A PSE is often conducted before the actual
quantitative RA. The PSE helps to gather the elements that will be needed when the
actual RA takes place. A PSE also helps to focus an RA. Elements that are defined
during this phase include asset costs and values, a listing of various threats to an
organization (in terms of threats to both the personnel and the environment), and
documentation of the existing security measures. The PSE is normally then subject to a
review by an organization’s management before the RA begins.
Automated Risk Analysis Products
There are several good automated risk analysis products on the market. The main
objectives of these products is to minimize the manual effort that must be expended to
create the risk analysis and to provide a company with the ability to forecast its
expected losses quickly with different input variations. The creation of a database
during an initial automated process enables the operator to rerun the analysis using
different parameters—to create a what if scenario. These products enable the users to
perform calculations quickly in order to estimate future expected losses, thereby
determining the benefit of their implemented safeguards.

No comments: