IT Security Risk Assessment Methodology: Qualitative vs Quantitative

Last updated by Abi Tyas Tunggal on November 27, 2019

scroll down

Formulating an IT security risk assessment methodology is a key part of building a robust information security risk management program. 

The two most popular types of risk assessment methodologies used by assessors are:

  1. Qualitative risk analysis: A scenario-based methodology that uses different threat-vulnerability scenarios to try and answer "what if" type questions. These assessments are subjective in nature.
  2. Quantitative risk analysis: Assigns a numeric value to different risk assessment components. Accessors aim to quantify all elements (asset value, threat frequency, safeguard effectiveness, uncertainty and probability) to answer questions like "How much would a data breach cost us?" and "How long is an acceptable amount of time offline before we need to initiate our incident response plan?"

Table of contents

  1. What is a risk assessment?
  2. When should risk assessments be conducted?
  3. Why is a risk assessment process important?
  4. Is a quantitative or qualitative risk assessment methodology better?
  5. What are the obstacles to effective risk management?
  6. How UpGuard can improve your risk assessment process

1. What is a risk assessment?

A risk assessment is a process that aims to identify cybersecurity risks, their sources and how to mitigate them to an acceptable level of risk. 

The process generally starts with a series of questions to establish an inventory of information assets, procedures, processes and personnel. 

This allows your organization and its accessors to understand what your key information assets are and which pose the highest risk. Risk is generally calculated as the impact of an event multiplied by the frequency or probability of the event. 

Regardless of whether your organization uses a qualitative or quantitative risk assessment process, there is some level of decision making required. This generally comes in the form of a cost/benefit analysis to determine which risks are acceptable and which must be mitigated.  

A robust risk assessment process will focus on all aspects of information security including physical and environment, administrative and management, as well as technical controls.

This is a laborious process for assesors that requires strong quality assurance and project management skills, and becomes harder as your organization grows. Driven by the increasing pace of information systems, processes and personnel change, as well as the introduction of new cyber threats, vulnerabilities and third-party vendors.  

2. When should risk assessments be conducted? 

Risk assessments must be conducted across the lifecycle of an information assets, as business needs change and new attack vectors emerge. 

By employing a continuous risk assessment approach, organizations can identify emerging cybersecurity risks and controls that need to be put in place to address them. 

As with any other process, security needs to be continually monitor, improved and treated as a part of overall product/service quality. 

Consider conducting a risk assessment whenever security gaps or risk exposures are found, as well as when you are deciding to implement or drop a certain control or third-party vendor

As with any information risk management process, this is largely based on the CIA triad (confidentiality, integrity and availability) and your business needs.

To streamline the risk assessment process, organizations should have internal security policies and standards that mandate security requirements, processes and procedures across the organization and its vendors, e.g. only using third-party vendors with SOC 2 assurance and a security rating above 850. 

3. Why is a risk assessment process important?

Cybersecurity is largely about risk mitigation. The moment you connect to the Internet, rely on new information technology or onboard a new third-party vendor, you introduce some level of risk. 

Risk assessments identify key information assets, what their value is (qualitative or quantitative) to the organization, as well as its customers and partners.   

With this information, management is better able to understand its risk profile and whether existing security controls are adequate. 

This is becoming increasingly important due to the rise of outsourcing and a growing reliance on vendors to process, store and transmit sensitive data, as well as to deliver goods and services to customers. 

Pair this with growing regulation focused on the protection and disclosure of personally identifiable information (PII) and protected health information (PHI) and the need for clear risk assessment methodology has never been higher.

Understand every piece of technology, vendor and employee is a potential attack vector, whether from social engineering attacks like phishing and spear phishing or technology-based attacks like the exploits of CVE-listed vulnerabilities, man-in-the-middle attacks, ransomware and other types of malware.

To minimize potential loss and remain operational, every level of your organization need to understand security requirements and a robust risk assessment methodology can do a lot to mitigate identified risks.  

As a result of risk assessments, staff become more aware of cyber threats and learn to avoid bad practices that could be detrimental to the information security, data security and network security, raising security awareness and helping incident response planning

4. Is a quantitative or qualitative risk assessment methodology better?

There are pros and cons to quantitative and qualitative risk assessment methodologies. Best-in-class organization employ a hybrid approach that takes into account quantitative and qualitative inputs. 

Risk management is focused on making risk-adjusted decisions to enable your organization to operate efficiently, while taking on as much or as little risk as you deem acceptable. 

And the only way to do that is to understand what risks you have, what you are willing to accept and which you wish to transfer, mitigate or avoid. For example, you may choose to ignore a high risk with extremely low probability, e.g. Amazon discontinuing Amazon Web Services, because you decide it's not cost effective to mitigate it.

In contrast, a different organization with a lower risk tolerance may decide to straddle two cloud service providers to mitigate the risk. 

Regardless of your risk profile, there is always residual risk as it's just not cost effective to mitigate everything.

  Pros Cons
Qualitative
  • Qualitative analysis is a simpler assessment approach, there are aren't any complex calculations
  • Determining the monetary value of assets isn't always necessary or possible to value intangible assets like reputation and customer goodwill
  • It is not necessary to quantify threat frequency
  • Easier to involve non-security and non-technical staff
  • Subjective in nature
  • Results and quality of the assessment depend on expertise and quality of risk management team
  • Limited effort to understand monetary value of assets
  • No cost/benefit analysis for risk mitigation techniques e.g. cost of implementing security controls and security policies
Quantitative
  • Quantitative analysis is based on objective processes and metrics, removing subjectivity
  • Assets value and risk mitigation options are well understood
  • Cost/benefit assessments are heavily employed, helping senior management mitigate high-risk activities first
  • Results can be expressed in management-specific language (e.g. monetary value and probability) 
  • Quantitative approaches can be complex and time-consuming
  • Historically only works well with a recognized automated security management tool and associated knowledge base
  • Requires preliminary work to collect and quantify different risk information
  • Generally not focused on the personnel level, security awareness training may be overlooked

5. What are the obstacles to effective risk management?

A common complaint from security management teams is that they do not have the time to do in-depth risk assessments. 

Even for those that do, they often struggle with where to start. This is because there isn't one industry standard that everyone accepts as best practice.

Moreover, most guidelines like ISO 27001 and NIST Security Self Assessment Guide for Information Technology Systems, SP 800-26 are general in nature and don't provide enough details about how to conduct a proper risk assessment.  

This has led to many organizations outsourcing the risk management process to external vendors who have expertise in conducting proper risk assessments. They can also help your organization create effective policies like a vendor management policy and third-party risk management framework.

However, as organizations grow in size and complexity and the number of third-party vendors grow, it becomes expensive to outsource. You also don't want your organization to become reliant on an external vendor to make important business and risk mitigation decisions.  

This is why more and more organizations are insourcing their risk management and vendor risk management programs. 

Cyber security ratings tools can help scale your risk management team by automatically monitoring and assessing first, third and fourth-party security posture. This allows your risk management team to focus on the most high risk, high impact fixes first and exponentially increases the number of third-party vendors one person can manage. 

Vulnerability assessments allow small teams to scale up and understand third-party risk and fourth-party risk in real-time. 

If your organization lacks risk management expertise or just wants to scale their risk management team, consider investing in a tool that can automate vendor risk management, provide vendor risk assessment questionnaire templates and monitor for first-party risk and leaked credentials.

6. How UpGuard can improve your risk assessment process

Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.

We're experts in data breaches, our data breach research has been featured in the New York Times, Bloomberg, Washington Post, Forbes, Reuters and Techcrunch.

UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry. 

Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.

Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.

UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection. 

If you'd like to see how your organization stacks up, get your free Cyber Security Rating

Book a demo today.


Related posts

Learn more about the latest issues in cybersecurity