The challenges involved in performing a quantitative information security risk analysis is that it requires a strenuous amount of effort, very expensive, performance satisfaction, and it is time consuming. This is due to the fact that it is more time consuming to calculate the cost of all elements of risk analysis process. For example quantitative risk analysis would calculate the probability of a threat occurring and how much it would cost if it were to occur as well as the software to prevent it from happening. This helps allocate the budget of the company and prioritize certain risks given that it is given a monetary value. Due to it’s objective process it takes a long time to perform and requires data to perform, if a company doesn’t have data then they would have to opt for a qualitative risk analysis.
I agree with you Wilmer. Quantitative assessments are a thorough, expensive investment that not all stakeholders might be willing to commit to. Perhaps, as described in the ISACA Risk IT Framework, the best course of action is for entities to blend quantitative assessments with those of qualitative features.
Convincing stakeholders anything regarding cybersecurity spending is always inevitably difficult as it is more spending to prevent loss rather than spending to make a profit. Going the extra mile to spend more to be able to gather enough threat assessment data to construct proper quantitative risk assessments is even less likely to be accepted by stakeholders usually inaccurately only seeing a loss on the bottom line, despite the greater benefit of doing so. The extra up front cost to construct a quantitative risk assessment would over time result in significantly larger dollar amounts of prevented data loss or downtime.
There are many challenges involved in performing a quantitative information security risk analysis. One of these is that when an organization is performing a security risk analysis of themselves, there tends to be implicit bias towards the way the company currently handles information security and risk management, potentially justifying potentially bad practices. An individual within the company attempting to perform a quantitative information security risk analysis will find it almost impossible to be impartial because of this, and find it difficult to obtain all the necessary data in order to perform the analysis. While it is easy to assess the perimeter defenses of an organization, an organization must also make sure that its employees do not overlook some fundamental security mechanisms, such as: changing default account passwords, using robust passwords, closing unnecessary ports, restricting physical access and using administrative accounts for administrative tasks.
It is imperative that the risk analysis is conducted by an outside source. There is actually an advantage of having a team of professionals who are well versed in the Information Security industry, come into a different organization where they are oblivious of that company’s culture and politics. This will allow them to ask the difficult questions that need to be asked, and avoid assumptions and bias that someone within the company is likely to have. Furthermore, there are many consulting firms who can provide this service.
Risk assessments often begin with properly inventorying all known assets, including intangible assets like intellectual property. “Today, it is intangibles that account for more than 80% of listed company value” (Vacca, 2017). Additionally, conveying the “real-world” impact or loss of a declared risk to non-technical organizational members is no easy task. Developing a data flow chart can assist with understanding where potential vulnerabilities may exist within the organization. Adversaries are automating attacks, making it increasingly difficult to anticipate the level and frequency a business may be targeted and therefore quantify the amount of resources needed to prevent an incident or loss.
Suppose information security best practices aren’t enforced from the top down by the board and other executive-level employees. In that case, the potential for the security program to fail and result in damage to the business is high. Humans will always be the weakest link in the security chain – it doesn’t matter what state-of-the-art EDR the company has in place if a negligent employee falls for a social engineering attack. Variables such as these make it difficult to account for employee behavior, both malicious and non-malicious, when sharing proprietary information. Depending on the organization’s size, this can be a time-consuming (and even costly) endeavor to map risk and value to the identified assets and even then it is a constantly evolving process.
Vacca, J., 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann.
I agree with your statements regarding the enforcements of best practices. If the security practices aren’t enforced from the top down as you said, the organization will have a hard time mitigating risk. The data flow chart is a great idea to help identify risk, but ultimately I think it will come down to providing organizational training and setting up check points to reduce human error.
In addition to quantitative metrics, all businesses have qualitative aspects that may be difficult to quantify in such an assessment. For example, reputational damage resulting from a data breach. Potential lost sales can be calculated by comparing previous numbers and modeling these out over different lengths of time, i.e. the breach required 4 days to remediate which is approximately $10,000 in sales.
It’s far more difficult to assign a value to reputational damage and how this may affect the business going forward. This makes conversations about how much to invest in mitigation difficult as there’s more uncertainty about the true impact of such an even
Quantitative information security risk analysis deals with the numerical likelihood of a threat occurring. The outcome of a quantitative risk analysis is an estimated monetary value of a loss or gain with the associated risk scenarios. One of the challenges with quantitative risk analysis is gathering data and the time associated with it. Data related to an organization’s operating environment and risk events can consist of many variables. It is not always the case that the data will be sufficient enough to be used in a quantitative risk analysis, this in turn could reduce the accuracy of the analysis.
Another challenge is making sure the estimates for the loss or gain values are reasonable. This ensures there is no evidence of ‘gaming the system’ to obtain the desired outcome as stated in The Risk IT Framework.
Cost can also become a challenge as you need many resources to gather data and hire a third-party vendor to conduct the analysis. You may be able to conduct the analysis in-house, but this creates a biased environment where problematic areas are overlooked, and increases the chances of ‘gaming the system’.
Source: ISACA. (2009). The risk it framework. ISACA.
I liked the examples that you gave when it comes to the challenges organizations face when trying to conduct a quantitative security risk analysis.
I feel like a lot of these challenges are up to senior management to decide whether or not they want to devote the time, effort and cost associated with information security.
I also really liked how you included that even when companies have the resources to perform a quantitative risk analysis, it’s usually better to hire a third-party because of bias. Justifying bad practices because it’s the ‘norm’ for the company can have huge ramifications!
Quantitative assessment is the most thorough method of performing a risk analysis. Challenges that involve performance of this type of analysis would be data integrity loss – where there’s an alteration in data; accidental errors – where there is improper use of data due to incorrect use and not malicious intent; also computer virus – where program(s) may perform a variety of unusual functions due to an infection.
I think you raise a good point about accidental errors here. It would be interesting to quantify how often mistakes happen during the risk assessment process.
I agree with what you said. The accidental errors and computer viruses you mentioned belong to improper use of data due to incorrect use rather than malicious intent, but still cause danger. Without a robust process, leaders will blindly believe in their cyber risk status and ignore warning signs. Cause potential losses in finance, operations, and reputation.
What challenges are involved in performing a quantitative information security risk analysis?
One of the biggest challenges is the magnitude of the work involved in generating a quantitative risk analysis. It requires a complete inventory of all assets, a detailed assessment of the value of each asset and then applying the variety of negative impacts that could happen in addition to probability of that occurrence. In a large and complex organization, this can require a remarkably large amount of work to calculate and maintain. The vibrant and rapidly changing environments we live and operate within today make this approach difficult and often unwieldy as an approach to maintain in real-time.
I like your point. It seems based on the consensus that quantitative risk assessments might be relative to the size or scope they are trying to analyze. Ultimately in a large scale organization it would skyrocket the investment and become incredibly complexed to analyze and result high cost. It makes me think of scenarios in which this would be applicable especially at a large corporation.
There are many challenges for performing a quantitative information security risk analysis.
The first challenge is collecting accurate data. It is recommended that infosec professionals hire outside consultants, since the professional working inside the company may have unconscious bias surrounding what type of vulnerabilities exist on their company’s network. Or they may be unknowingly turning a blind eye to some issues. An outside consultant has the benefit of looking at the situation with a fresh perspective. These people also have seen all types of network configurations and industries, so their experience is very valuable.
Another challenge is how quickly the cyber world is evolving. Every day, new vulnerabilities emerge and it can be difficult to stay on top of what vulnerabilities may be present on your network. This means that the risk analysis is never-ending. You have to continually keep an eye out for critical vulnerabilities and do a fresh re-assessment of your company’s infosec risk at least once a year (if not more frequently).
Another potential challenge is gaining board- level support for completing the infosec risk assessment. Ultimately during the assessment, you need to analyze the security of all endpoints and systems on the network. This means you need insight into all functions and divisions. If upper management isn’t encouraging this deep- dive into the infosec risk analysis, the data you will gather will be incomplete.
I like you how you gave thoughtful examples of what they are supposed to do to evaluate their assets and implement a method to secure them. Like you said, as the cyber world is evolving, new policies and procedures should be put in place on how well an organization must identify their issue, keeps track of it, protect their information and react if something bad happens. The less analysis, the less secure systems and the more threats they will face.
Madalyn, I agree 100% that a very challenging part of performing a quantitative information security risk analysis is gathering everyone up on board in upper management. It is due to the fact that they have to really provide the consultant data to work with so that they can get a fresh set of eyes on every function and parts of the security system.
There is a lot of challenges involved in performing a quantitative information security risk analysis but one of the biggest challenge is to ask mindful questions in order to avoid errors and attacks. Before performing a quantitative information security risk analysis, the company needs to evaluate all the assets that they have and make sure they are all protected. It’s easier for smaller companies as it doesn’t require a lot of work but for bigger companies, it’s time consuming and so cost effective. When evaluating those assets or data, they will then have a better understanding of how much money they can allocate to get more software to protect their data. The IT Team needs to create a define budget and procedure in which they explain why some assets needs more securities than the others. For that they need to do some online and written assessments based on integrity and have some projections of what may happen in the future and how to react if that happens. Implementing new rules and policies of who needs to have access to what system or data will also reduce the threats. The effectiveness of the systems is also a good point to touch base on as if one system is running incorrectly, then it affects all the analysis they will make to secure the data.
It is important for a company to evaluate their assets. & when doing so, it is also important that there are no vulnerabilities and that all assets (including infrastructure) be protected with the same effort as a high-value asset to reduce the likelihood that it could potentially, “be an entry point into your network and provide access to valuable data.” (Vacca, 2017)
I’m sure there are many perceived challenges when an Information Technology Security professional conducts a quantitative information security risk analysis. However, first and foremost it should be noted that it is not be conducted by anyone who has ties to the organization. Moreover, I believe any problems that are presented should be rectified by using the guidelines of the ISO/IEC 27001 standard or the “NIST Framework,” document. An advantage of “NIST’s approach is that it is easily adaptable to firms of all sizes and risk profiles, and can be very cost-effective.” (Vacca, 2017)
However, in my opinion I think the real challenge is more so in the planning part opposed to the assessment of the risks. I think it is more difficult to plan for the business continuity and trying to be prepared when a data breech actually does happen. Furthermore, it seems that having a contingency plan that enables the company’s most critical functions to continue while trying to rectify the situation could prove to be a complicated task .
Many companies see establishing a quantitative information security risk analysis as being expensive and time consuming. All parties with interest in the company should have a shared understanding of expectations. “Establishing an appropriate set of expectations before, during and after the assessment is paramount to achieving an acceptable outcome…” (Vacca, 2021)
Although it can be a cumbersome process information security risk analysis is vital to any successful business. Businesses should focus on the ways a risk analysis can be accomplished. Often times taking the first towards creating a complex plan can be intimidating. The information security risk assessment is not a part of the business that can be left out.
If you are a small company many times an in house approach will be utilized. The downside of using an employee is they have bias towards information and can inappropriately create shortcuts in the risk analysis, therefore creating inefficient and skewed results. This approach is cheaper, however, could prove not as effective as outsourcing the analysis to an outside vendors whose sole job is to provide information security risk analysis. A third party vendor can be beneficial do to the unbiased nature and vast knowledge they hold in providing next steps and adjustments to security plans.
Vacca, J., 2021. Computer and Information Security. 3rd ed. Cambridge: Todd Green, p.31.
Quantitative risk analysis, like anything, has it’s pros and cons. Mainly, the obstacles that will be faced is that generally quantifying information is generally a complex process. Opposed to qualitative; qualitative focuses more on objective data which usually requires automations and represents risk in values. However; these values that are generated are up to the interpretation of experts that are generating them. Which in return poses a risk in itself if the experts are wrong.
I’m in agreement with you that quantitative risk analysis poses pros and cons like just about everything else. It’s important to understand that just because there are advantages to quantitative risk analysis, that doesn’t mean that this approach is always the best option. Not only can this approach be very costly, but it is also complex like you mentioned. One of the more difficult things about the quantitative risk approach is implementing it through every chain of the company and getting every employee on board. It can also be deemed as hard to understand because all results are portrayed in monetary value. For employees with no experience, this could be challenging to understand.
One challenge involved in performing a quantitative IS risk analysis is that the quantity of both risks and information is constantly increasing. This means that periodically, even every day, there are more endpoints and vulnerabilities of a network, and also more information to secure.
Another challenge in performing quantitative IS risk analysis is that the losses due to IS breaches are so volatile. A company may be able to predict the best case scenario of no loss, but what is the worst possible loss? What if a company holding customer credit card information gets hacked, and every single card is maxed out? What is the probability of the previously mentioned loss? What is the average loss of a cybersecurity breach in a given industry or geography?
As time goes on, it may be easier to average-out the quantities of loss related to IS risk (due to more data points on the topic), but because of the reasons above, it will likely never be easy.
Thanks for sharing Michael and you posed a lot of great questions. I’d like to piggy back on your ideals that a system can be secure today but vulnerable tomorrow due to the ever changing IT systems and technologies. I definitely agree that we are seeing more and more breaches but I think it’s interesting from a laws and regulations perspective that companies really aren’t being punished or even held accountable if one of their systems is compromised. An example that comes to mind is the First American Financial breach from May 2019, who was responsible for leaking roughly 800 million documents with many containing sensitive financial data around real estate transactions. As a result of the breach the only punishment First American Financial received was a $500,000 fine, which in my opinion is a punishment that will not bring about any significant improvements or even thoughts to improving their security posture. In the end, I think holding organizations more accountable and deploying, for lack of a better term, harsher consequences when a breach occurs will encourage organizations and their employees to identify and quantify risks that exist in their respective environment.
There are great challenges in conducting quantitative information security risk analysis.
Without a robust process, leaders will blindly believe in their cyber risk status and ignore warning signs, ultimately causing potential financial, operational, and reputation losses.
Risk models such as value-at-risk method play an important role. They not only integrate the input content, but also provide decision-makers with indicators as consideration factors. But there are inherent problems. The output and input are almost the same, neither of which can quantify all risks.
Quantitative assessment is the most thorough method of performing a risk analysis. This also makes it the most expensive and time-consuming process – and therefore not the ideal first choice for cash-strapped or smaller-scale enterprises.
What challenges are involved in performing a quantitative information security risk analysis?
The goal of quantitative information security risk analysis is to calculate numeric values associated to each component that result after risk evaluation. This can be very challenging because it involves gathering/having detailed knowledge of all the business assets and coming up with the real value of the assets taking into consideration the cost of replacement, the cost of the productivity loss, the cost of brand reputation damage and other values that represent direct or indirect assets for the organization. This can be a grueling task as it is very time consuming, the calculations can be very complex and hard to understand without experience, some risk values could be subjective in certain cases
Hello Jason,
That’s true that it requires more detailed information on all of the business assets. There also could be some information assets that could not be scaled on the number, and it will require to be measured using a qualitative approach. That could affect the result of the quantitative risk analysis. When gathering information on all of the business assets if there is any inaccurate information obtained then it will also provide an inaccurate result of that risk analyses.
Performing a quantitative information security risk analysis is challenging due to the ubiquitous and dynamic landscape of modern security threats. Threat actors are continuously engaging companies with attacks with only minimal equipment and easy to use tools. This unpredictability makes it hard to predict when and how severe an attack will be. The unpredictability of this makes attempting to quantify these risks a cost and time-consuming challenge. It requires the company to continuously exhaust resources and man-hours into analyzing the ever-changing risks. Because the risks are always evolving it is imperative to actively monitor and modify any risk analysis one makes. It is also challenging due to the biases of internal assumptions. It becomes crucial to not only rely on internal assessment, but to look outside for independent advice. Doing this is also expensive, which is another reason why making these quantitative information security risk analysis are costly.
The complexity of components that that lay the foundation for and make up information security inherently make performing a quantitative information security risk analysis challenging. The process requires help from almost all aspects of the organization, including the board of directors, IT and business management, and IT and business users who are responsible for performing daily tasks and activities. It’s not enough that people from each of these areas are involved, each must hold a sound understanding of what risks, whether they reputational, financial, etc., their component (i.e. technical, business) poses to the organization. On top of this, each must understand the level of impact that is associated with the risk and each area must be able to evidence and present why their component provides a certain level of risk. Organizations that combine and understand risks across each management level and component are typically able to better quantify expected results for subsequent monitoring and review. In cases where organizations do a poor job of understanding risk across all management levels and components then potentially significant risks could go unmitigated, ultimately opening an organization up to be compromised.
The major challenge involved in performing a quantitative information risk analysis is the lack of management support and initiative. The reason being that, the tone at the top always dictates how processes will be implemented within any organisation. Secondly, a fallout of the aforementioned is the unavailability of data due the lack of policies and procedures to clearly state roles, responsibilities, procedures and expectations in the risk process to create accurate risk data enterprise -wide. In the absence of all these, certain ingredients such as the risk register, risk awareness, a properly set up risk management program, and the lack of overall asset management processes for validating inherent and residual risk will always exists. All these create problems that prevent organizations from accurately determining the risk posture of an entity.
Quantifying some risks in information security is certainly difficult; there may be some guesswork involved based on the assessor’s available information. Some data may be difficult to obtain: there may be availability issues. More entities to consider in quantifying information security risks are the key risk indicators. It is important to note how these are defined as they will determine the result of the risk assessment. The risk indicators should not be too generic so that they do not directly assess risk in the environment, and they should also not be too challenging to measure, skewing data and poorly illustrating the business impact of the associated risks.
The challenges involved in performing a quantitative information risk analysis is the expense and financial outlook. Especially during the worldwide pandemic, COVID-19, a lot of businesses shut down. With the amount of financial information within a company performing a risk analysis, the company is at risk for a breach. However with a quantitative information risk analysis, it can help companies on how to proceed to ensure that their information is protected in the best way possible.
Many organizations struggle in attaining a formal quantitative information security risk assessment. One of the most common is the business outlook on security; executives care about profitable investments (i.e. mergers, capital ventures, etc.). Security is viewed as a necessary evil that does not drive profit in a company, but prevents economic decline. With limited budgets, executives might want to drive projects to boost the company’s stock or increase annual revenue–not security. Another example of this is resources. Quantitative security assessments are lengthy, expensive ventures that can involve third party auditors/consultants, create a need to hire more compliance/information security personnel, and maintain annual certifications with even more company dollars. The price, dedication, and time comprising essential security risk assessments have been historically overlooked; but in a day and age where companies are getting hacked more than ever, this obstacle is slowly declining.
In digitalization most organizations switch over to a network, so quantitative information risk analysis is most important. Many companies perform quantitative information security risk analysis, however it can be extremely time consuming and expensive. All organizations and shareholders need to have a shared understanding of security risk analysis for a successful outcome to be achieved.
A major challenge to quantitative Information Security risk analysis is that the information around the world is being shared at an increasingly high speed daily. And various attacks, breach of information, loss of security information, are causing organizations to lose their reputations and business.
One important role of quantitative information security risk analysis is to calculate the numeric valuation of each component that results after risk evaluation. It’s very challenging as it involves detailed evaluation of organization business assets that need to recover or be replaced. Furthermore quantitative information security risk analysis keeps becoming more challenging day by day due to new emerging security threats or attacks.
There are many challenges while performing a quantitative information security risk. It involves using a number to perform the risk analysis. As an example, if there is a project that the company is about to begin on then they will need to know the hours it will need to work on for that project and the resources it will require for that project. Underestimating the hours or the resources could impact the cost of the project when working on the project. When performing the quantitative risk analysis, it require more and accurate data to perform the analysis or it could provide an inaccurate result.
What challenges are involved in performing a quantitative information security risk analysis?
Some of the challenges that are involved with performing a quantitative information security risk analysis include complexity, implementation, result presentation, and cost. The quantitative risk analysis process along with the calculations performed can be very complex. Implementing this approach within a business can be difficult, as it will be hard to get everyone from the CEO down to entry level employees all on the same approach. When it comes to results, quantitative risk analysis poses a challenge because all results will be shown in monetary values, and this can be a challenge to understand for people with little to no experience. Lastly, performing a quantitative risk analysis can be very expensive due to the long amount of time that the analysis will take to be implemented.
I am in agreement with some of your assertions in your write-up. But you must understand in the same vein that in the absence of supporting data to calculate and quantify the probability of a deliberate or intentional human attack on information assets, risk assessors can, at the right time contingent on the knowledge of the business, its culture and people and their experience.
Admittedly, undertaking risk assessments and the determination of return on investment on information security appears to be increasingly problematic. However, COBIT 5 explained governance issues, standards and good practices in order to provide numerous indicators and suggested metrics, quantifying information security in business terms still remains cumbersome. in this regard.
The repercussion of security events on the business depends on awareness of incidents, the IT systems and services that are mainly important to aid business processes, and the determination of the impact of their malfunctions on business operations. Hence, obtaining those knowledges contingent on business process owners. And they are only people who could perform and quantify the operational, financial, and regulatory effect of disruptions. The challenge of information risk security is that the effect on reputation clearly seen to be difficult to calculate with accuracy. Another challenge of quantitative information security risk is where to evaluate untangle assets such as databases
Quantitative risk assessment brings numbers into the equation, analyzes the likelihood of specific threats, and uses pre-determined measurement scales to determine the risks or losses associated with these threats. Measurable and objective data is needed to determine the value of each enterprise’s assets and calculate the probability and risk value. Quantitative assessment is the most thorough method for risk analysis.
The quantitative risk analysis process can be copied by anyone, including an outside source from the company. These outcomes are usually in terms of money and how much an organization can lose. Quantitative risk analysis problem can also be due to insufficient detailed information that is utilized to develop a successful quantitative risk management strategy.
In order to establish the risk and losses associated with threats, quantitive risk assessment brings numbers with analysis based on likelihood. It helps to associate a specific financial amount to each identified risk. However, there is a need of using software tools that would require training for staff, outputs need careful interpretation which needs understanding of statistical principles. The complexity of the process brings challenge while handling takes long time as well.
The challenges involved in performing a quantitative information security risk analysis is that it requires a strenuous amount of effort, very expensive, performance satisfaction, and it is time consuming. This is due to the fact that it is more time consuming to calculate the cost of all elements of risk analysis process. For example quantitative risk analysis would calculate the probability of a threat occurring and how much it would cost if it were to occur as well as the software to prevent it from happening. This helps allocate the budget of the company and prioritize certain risks given that it is given a monetary value. Due to it’s objective process it takes a long time to perform and requires data to perform, if a company doesn’t have data then they would have to opt for a qualitative risk analysis.
I agree with you Wilmer. Quantitative assessments are a thorough, expensive investment that not all stakeholders might be willing to commit to. Perhaps, as described in the ISACA Risk IT Framework, the best course of action is for entities to blend quantitative assessments with those of qualitative features.
Convincing stakeholders anything regarding cybersecurity spending is always inevitably difficult as it is more spending to prevent loss rather than spending to make a profit. Going the extra mile to spend more to be able to gather enough threat assessment data to construct proper quantitative risk assessments is even less likely to be accepted by stakeholders usually inaccurately only seeing a loss on the bottom line, despite the greater benefit of doing so. The extra up front cost to construct a quantitative risk assessment would over time result in significantly larger dollar amounts of prevented data loss or downtime.
There are many challenges involved in performing a quantitative information security risk analysis. One of these is that when an organization is performing a security risk analysis of themselves, there tends to be implicit bias towards the way the company currently handles information security and risk management, potentially justifying potentially bad practices. An individual within the company attempting to perform a quantitative information security risk analysis will find it almost impossible to be impartial because of this, and find it difficult to obtain all the necessary data in order to perform the analysis. While it is easy to assess the perimeter defenses of an organization, an organization must also make sure that its employees do not overlook some fundamental security mechanisms, such as: changing default account passwords, using robust passwords, closing unnecessary ports, restricting physical access and using administrative accounts for administrative tasks.
Yes, this is correct!
It is imperative that the risk analysis is conducted by an outside source. There is actually an advantage of having a team of professionals who are well versed in the Information Security industry, come into a different organization where they are oblivious of that company’s culture and politics. This will allow them to ask the difficult questions that need to be asked, and avoid assumptions and bias that someone within the company is likely to have. Furthermore, there are many consulting firms who can provide this service.
Risk assessments often begin with properly inventorying all known assets, including intangible assets like intellectual property. “Today, it is intangibles that account for more than 80% of listed company value” (Vacca, 2017). Additionally, conveying the “real-world” impact or loss of a declared risk to non-technical organizational members is no easy task. Developing a data flow chart can assist with understanding where potential vulnerabilities may exist within the organization. Adversaries are automating attacks, making it increasingly difficult to anticipate the level and frequency a business may be targeted and therefore quantify the amount of resources needed to prevent an incident or loss.
Suppose information security best practices aren’t enforced from the top down by the board and other executive-level employees. In that case, the potential for the security program to fail and result in damage to the business is high. Humans will always be the weakest link in the security chain – it doesn’t matter what state-of-the-art EDR the company has in place if a negligent employee falls for a social engineering attack. Variables such as these make it difficult to account for employee behavior, both malicious and non-malicious, when sharing proprietary information. Depending on the organization’s size, this can be a time-consuming (and even costly) endeavor to map risk and value to the identified assets and even then it is a constantly evolving process.
Vacca, J., 2017. Computer and Information Security Handbook. 3rd ed. Cambridge: Morgan Kaufmann.
I agree with your statements regarding the enforcements of best practices. If the security practices aren’t enforced from the top down as you said, the organization will have a hard time mitigating risk. The data flow chart is a great idea to help identify risk, but ultimately I think it will come down to providing organizational training and setting up check points to reduce human error.
In addition to quantitative metrics, all businesses have qualitative aspects that may be difficult to quantify in such an assessment. For example, reputational damage resulting from a data breach. Potential lost sales can be calculated by comparing previous numbers and modeling these out over different lengths of time, i.e. the breach required 4 days to remediate which is approximately $10,000 in sales.
It’s far more difficult to assign a value to reputational damage and how this may affect the business going forward. This makes conversations about how much to invest in mitigation difficult as there’s more uncertainty about the true impact of such an even
Quantitative information security risk analysis deals with the numerical likelihood of a threat occurring. The outcome of a quantitative risk analysis is an estimated monetary value of a loss or gain with the associated risk scenarios. One of the challenges with quantitative risk analysis is gathering data and the time associated with it. Data related to an organization’s operating environment and risk events can consist of many variables. It is not always the case that the data will be sufficient enough to be used in a quantitative risk analysis, this in turn could reduce the accuracy of the analysis.
Another challenge is making sure the estimates for the loss or gain values are reasonable. This ensures there is no evidence of ‘gaming the system’ to obtain the desired outcome as stated in The Risk IT Framework.
Cost can also become a challenge as you need many resources to gather data and hire a third-party vendor to conduct the analysis. You may be able to conduct the analysis in-house, but this creates a biased environment where problematic areas are overlooked, and increases the chances of ‘gaming the system’.
Source: ISACA. (2009). The risk it framework. ISACA.
Hey Dhaval,
I liked the examples that you gave when it comes to the challenges organizations face when trying to conduct a quantitative security risk analysis.
I feel like a lot of these challenges are up to senior management to decide whether or not they want to devote the time, effort and cost associated with information security.
I also really liked how you included that even when companies have the resources to perform a quantitative risk analysis, it’s usually better to hire a third-party because of bias. Justifying bad practices because it’s the ‘norm’ for the company can have huge ramifications!
Quantitative assessment is the most thorough method of performing a risk analysis. Challenges that involve performance of this type of analysis would be data integrity loss – where there’s an alteration in data; accidental errors – where there is improper use of data due to incorrect use and not malicious intent; also computer virus – where program(s) may perform a variety of unusual functions due to an infection.
I think you raise a good point about accidental errors here. It would be interesting to quantify how often mistakes happen during the risk assessment process.
I agree with what you said. The accidental errors and computer viruses you mentioned belong to improper use of data due to incorrect use rather than malicious intent, but still cause danger. Without a robust process, leaders will blindly believe in their cyber risk status and ignore warning signs. Cause potential losses in finance, operations, and reputation.
What challenges are involved in performing a quantitative information security risk analysis?
One of the biggest challenges is the magnitude of the work involved in generating a quantitative risk analysis. It requires a complete inventory of all assets, a detailed assessment of the value of each asset and then applying the variety of negative impacts that could happen in addition to probability of that occurrence. In a large and complex organization, this can require a remarkably large amount of work to calculate and maintain. The vibrant and rapidly changing environments we live and operate within today make this approach difficult and often unwieldy as an approach to maintain in real-time.
Hey Richard,
I like your point. It seems based on the consensus that quantitative risk assessments might be relative to the size or scope they are trying to analyze. Ultimately in a large scale organization it would skyrocket the investment and become incredibly complexed to analyze and result high cost. It makes me think of scenarios in which this would be applicable especially at a large corporation.
There are many challenges for performing a quantitative information security risk analysis.
The first challenge is collecting accurate data. It is recommended that infosec professionals hire outside consultants, since the professional working inside the company may have unconscious bias surrounding what type of vulnerabilities exist on their company’s network. Or they may be unknowingly turning a blind eye to some issues. An outside consultant has the benefit of looking at the situation with a fresh perspective. These people also have seen all types of network configurations and industries, so their experience is very valuable.
Another challenge is how quickly the cyber world is evolving. Every day, new vulnerabilities emerge and it can be difficult to stay on top of what vulnerabilities may be present on your network. This means that the risk analysis is never-ending. You have to continually keep an eye out for critical vulnerabilities and do a fresh re-assessment of your company’s infosec risk at least once a year (if not more frequently).
Another potential challenge is gaining board- level support for completing the infosec risk assessment. Ultimately during the assessment, you need to analyze the security of all endpoints and systems on the network. This means you need insight into all functions and divisions. If upper management isn’t encouraging this deep- dive into the infosec risk analysis, the data you will gather will be incomplete.
I like you how you gave thoughtful examples of what they are supposed to do to evaluate their assets and implement a method to secure them. Like you said, as the cyber world is evolving, new policies and procedures should be put in place on how well an organization must identify their issue, keeps track of it, protect their information and react if something bad happens. The less analysis, the less secure systems and the more threats they will face.
Madalyn, I agree 100% that a very challenging part of performing a quantitative information security risk analysis is gathering everyone up on board in upper management. It is due to the fact that they have to really provide the consultant data to work with so that they can get a fresh set of eyes on every function and parts of the security system.
There is a lot of challenges involved in performing a quantitative information security risk analysis but one of the biggest challenge is to ask mindful questions in order to avoid errors and attacks. Before performing a quantitative information security risk analysis, the company needs to evaluate all the assets that they have and make sure they are all protected. It’s easier for smaller companies as it doesn’t require a lot of work but for bigger companies, it’s time consuming and so cost effective. When evaluating those assets or data, they will then have a better understanding of how much money they can allocate to get more software to protect their data. The IT Team needs to create a define budget and procedure in which they explain why some assets needs more securities than the others. For that they need to do some online and written assessments based on integrity and have some projections of what may happen in the future and how to react if that happens. Implementing new rules and policies of who needs to have access to what system or data will also reduce the threats. The effectiveness of the systems is also a good point to touch base on as if one system is running incorrectly, then it affects all the analysis they will make to secure the data.
I think you’ve made some very good points.
It is important for a company to evaluate their assets. & when doing so, it is also important that there are no vulnerabilities and that all assets (including infrastructure) be protected with the same effort as a high-value asset to reduce the likelihood that it could potentially, “be an entry point into your network and provide access to valuable data.” (Vacca, 2017)
I’m sure there are many perceived challenges when an Information Technology Security professional conducts a quantitative information security risk analysis. However, first and foremost it should be noted that it is not be conducted by anyone who has ties to the organization. Moreover, I believe any problems that are presented should be rectified by using the guidelines of the ISO/IEC 27001 standard or the “NIST Framework,” document. An advantage of “NIST’s approach is that it is easily adaptable to firms of all sizes and risk profiles, and can be very cost-effective.” (Vacca, 2017)
However, in my opinion I think the real challenge is more so in the planning part opposed to the assessment of the risks. I think it is more difficult to plan for the business continuity and trying to be prepared when a data breech actually does happen. Furthermore, it seems that having a contingency plan that enables the company’s most critical functions to continue while trying to rectify the situation could prove to be a complicated task .
Many companies see establishing a quantitative information security risk analysis as being expensive and time consuming. All parties with interest in the company should have a shared understanding of expectations. “Establishing an appropriate set of expectations before, during and after the assessment is paramount to achieving an acceptable outcome…” (Vacca, 2021)
Although it can be a cumbersome process information security risk analysis is vital to any successful business. Businesses should focus on the ways a risk analysis can be accomplished. Often times taking the first towards creating a complex plan can be intimidating. The information security risk assessment is not a part of the business that can be left out.
If you are a small company many times an in house approach will be utilized. The downside of using an employee is they have bias towards information and can inappropriately create shortcuts in the risk analysis, therefore creating inefficient and skewed results. This approach is cheaper, however, could prove not as effective as outsourcing the analysis to an outside vendors whose sole job is to provide information security risk analysis. A third party vendor can be beneficial do to the unbiased nature and vast knowledge they hold in providing next steps and adjustments to security plans.
Vacca, J., 2021. Computer and Information Security. 3rd ed. Cambridge: Todd Green, p.31.
Quantitative risk analysis, like anything, has it’s pros and cons. Mainly, the obstacles that will be faced is that generally quantifying information is generally a complex process. Opposed to qualitative; qualitative focuses more on objective data which usually requires automations and represents risk in values. However; these values that are generated are up to the interpretation of experts that are generating them. Which in return poses a risk in itself if the experts are wrong.
Hello Michael,
I’m in agreement with you that quantitative risk analysis poses pros and cons like just about everything else. It’s important to understand that just because there are advantages to quantitative risk analysis, that doesn’t mean that this approach is always the best option. Not only can this approach be very costly, but it is also complex like you mentioned. One of the more difficult things about the quantitative risk approach is implementing it through every chain of the company and getting every employee on board. It can also be deemed as hard to understand because all results are portrayed in monetary value. For employees with no experience, this could be challenging to understand.
One challenge involved in performing a quantitative IS risk analysis is that the quantity of both risks and information is constantly increasing. This means that periodically, even every day, there are more endpoints and vulnerabilities of a network, and also more information to secure.
Another challenge in performing quantitative IS risk analysis is that the losses due to IS breaches are so volatile. A company may be able to predict the best case scenario of no loss, but what is the worst possible loss? What if a company holding customer credit card information gets hacked, and every single card is maxed out? What is the probability of the previously mentioned loss? What is the average loss of a cybersecurity breach in a given industry or geography?
As time goes on, it may be easier to average-out the quantities of loss related to IS risk (due to more data points on the topic), but because of the reasons above, it will likely never be easy.
Thanks for sharing Michael and you posed a lot of great questions. I’d like to piggy back on your ideals that a system can be secure today but vulnerable tomorrow due to the ever changing IT systems and technologies. I definitely agree that we are seeing more and more breaches but I think it’s interesting from a laws and regulations perspective that companies really aren’t being punished or even held accountable if one of their systems is compromised. An example that comes to mind is the First American Financial breach from May 2019, who was responsible for leaking roughly 800 million documents with many containing sensitive financial data around real estate transactions. As a result of the breach the only punishment First American Financial received was a $500,000 fine, which in my opinion is a punishment that will not bring about any significant improvements or even thoughts to improving their security posture. In the end, I think holding organizations more accountable and deploying, for lack of a better term, harsher consequences when a breach occurs will encourage organizations and their employees to identify and quantify risks that exist in their respective environment.
There are great challenges in conducting quantitative information security risk analysis.
Without a robust process, leaders will blindly believe in their cyber risk status and ignore warning signs, ultimately causing potential financial, operational, and reputation losses.
Risk models such as value-at-risk method play an important role. They not only integrate the input content, but also provide decision-makers with indicators as consideration factors. But there are inherent problems. The output and input are almost the same, neither of which can quantify all risks.
Quantitative assessment is the most thorough method of performing a risk analysis. This also makes it the most expensive and time-consuming process – and therefore not the ideal first choice for cash-strapped or smaller-scale enterprises.
What challenges are involved in performing a quantitative information security risk analysis?
The goal of quantitative information security risk analysis is to calculate numeric values associated to each component that result after risk evaluation. This can be very challenging because it involves gathering/having detailed knowledge of all the business assets and coming up with the real value of the assets taking into consideration the cost of replacement, the cost of the productivity loss, the cost of brand reputation damage and other values that represent direct or indirect assets for the organization. This can be a grueling task as it is very time consuming, the calculations can be very complex and hard to understand without experience, some risk values could be subjective in certain cases
Hello Jason,
That’s true that it requires more detailed information on all of the business assets. There also could be some information assets that could not be scaled on the number, and it will require to be measured using a qualitative approach. That could affect the result of the quantitative risk analysis. When gathering information on all of the business assets if there is any inaccurate information obtained then it will also provide an inaccurate result of that risk analyses.
Performing a quantitative information security risk analysis is challenging due to the ubiquitous and dynamic landscape of modern security threats. Threat actors are continuously engaging companies with attacks with only minimal equipment and easy to use tools. This unpredictability makes it hard to predict when and how severe an attack will be. The unpredictability of this makes attempting to quantify these risks a cost and time-consuming challenge. It requires the company to continuously exhaust resources and man-hours into analyzing the ever-changing risks. Because the risks are always evolving it is imperative to actively monitor and modify any risk analysis one makes. It is also challenging due to the biases of internal assumptions. It becomes crucial to not only rely on internal assessment, but to look outside for independent advice. Doing this is also expensive, which is another reason why making these quantitative information security risk analysis are costly.
The complexity of components that that lay the foundation for and make up information security inherently make performing a quantitative information security risk analysis challenging. The process requires help from almost all aspects of the organization, including the board of directors, IT and business management, and IT and business users who are responsible for performing daily tasks and activities. It’s not enough that people from each of these areas are involved, each must hold a sound understanding of what risks, whether they reputational, financial, etc., their component (i.e. technical, business) poses to the organization. On top of this, each must understand the level of impact that is associated with the risk and each area must be able to evidence and present why their component provides a certain level of risk. Organizations that combine and understand risks across each management level and component are typically able to better quantify expected results for subsequent monitoring and review. In cases where organizations do a poor job of understanding risk across all management levels and components then potentially significant risks could go unmitigated, ultimately opening an organization up to be compromised.
The major challenge involved in performing a quantitative information risk analysis is the lack of management support and initiative. The reason being that, the tone at the top always dictates how processes will be implemented within any organisation. Secondly, a fallout of the aforementioned is the unavailability of data due the lack of policies and procedures to clearly state roles, responsibilities, procedures and expectations in the risk process to create accurate risk data enterprise -wide. In the absence of all these, certain ingredients such as the risk register, risk awareness, a properly set up risk management program, and the lack of overall asset management processes for validating inherent and residual risk will always exists. All these create problems that prevent organizations from accurately determining the risk posture of an entity.
Quantifying some risks in information security is certainly difficult; there may be some guesswork involved based on the assessor’s available information. Some data may be difficult to obtain: there may be availability issues. More entities to consider in quantifying information security risks are the key risk indicators. It is important to note how these are defined as they will determine the result of the risk assessment. The risk indicators should not be too generic so that they do not directly assess risk in the environment, and they should also not be too challenging to measure, skewing data and poorly illustrating the business impact of the associated risks.
The challenges involved in performing a quantitative information risk analysis is the expense and financial outlook. Especially during the worldwide pandemic, COVID-19, a lot of businesses shut down. With the amount of financial information within a company performing a risk analysis, the company is at risk for a breach. However with a quantitative information risk analysis, it can help companies on how to proceed to ensure that their information is protected in the best way possible.
Many organizations struggle in attaining a formal quantitative information security risk assessment. One of the most common is the business outlook on security; executives care about profitable investments (i.e. mergers, capital ventures, etc.). Security is viewed as a necessary evil that does not drive profit in a company, but prevents economic decline. With limited budgets, executives might want to drive projects to boost the company’s stock or increase annual revenue–not security. Another example of this is resources. Quantitative security assessments are lengthy, expensive ventures that can involve third party auditors/consultants, create a need to hire more compliance/information security personnel, and maintain annual certifications with even more company dollars. The price, dedication, and time comprising essential security risk assessments have been historically overlooked; but in a day and age where companies are getting hacked more than ever, this obstacle is slowly declining.
In digitalization most organizations switch over to a network, so quantitative information risk analysis is most important. Many companies perform quantitative information security risk analysis, however it can be extremely time consuming and expensive. All organizations and shareholders need to have a shared understanding of security risk analysis for a successful outcome to be achieved.
A major challenge to quantitative Information Security risk analysis is that the information around the world is being shared at an increasingly high speed daily. And various attacks, breach of information, loss of security information, are causing organizations to lose their reputations and business.
One important role of quantitative information security risk analysis is to calculate the numeric valuation of each component that results after risk evaluation. It’s very challenging as it involves detailed evaluation of organization business assets that need to recover or be replaced. Furthermore quantitative information security risk analysis keeps becoming more challenging day by day due to new emerging security threats or attacks.
There are many challenges while performing a quantitative information security risk. It involves using a number to perform the risk analysis. As an example, if there is a project that the company is about to begin on then they will need to know the hours it will need to work on for that project and the resources it will require for that project. Underestimating the hours or the resources could impact the cost of the project when working on the project. When performing the quantitative risk analysis, it require more and accurate data to perform the analysis or it could provide an inaccurate result.
What challenges are involved in performing a quantitative information security risk analysis?
Some of the challenges that are involved with performing a quantitative information security risk analysis include complexity, implementation, result presentation, and cost. The quantitative risk analysis process along with the calculations performed can be very complex. Implementing this approach within a business can be difficult, as it will be hard to get everyone from the CEO down to entry level employees all on the same approach. When it comes to results, quantitative risk analysis poses a challenge because all results will be shown in monetary values, and this can be a challenge to understand for people with little to no experience. Lastly, performing a quantitative risk analysis can be very expensive due to the long amount of time that the analysis will take to be implemented.
I am in agreement with some of your assertions in your write-up. But you must understand in the same vein that in the absence of supporting data to calculate and quantify the probability of a deliberate or intentional human attack on information assets, risk assessors can, at the right time contingent on the knowledge of the business, its culture and people and their experience.
Admittedly, undertaking risk assessments and the determination of return on investment on information security appears to be increasingly problematic. However, COBIT 5 explained governance issues, standards and good practices in order to provide numerous indicators and suggested metrics, quantifying information security in business terms still remains cumbersome. in this regard.
The repercussion of security events on the business depends on awareness of incidents, the IT systems and services that are mainly important to aid business processes, and the determination of the impact of their malfunctions on business operations. Hence, obtaining those knowledges contingent on business process owners. And they are only people who could perform and quantify the operational, financial, and regulatory effect of disruptions. The challenge of information risk security is that the effect on reputation clearly seen to be difficult to calculate with accuracy. Another challenge of quantitative information security risk is where to evaluate untangle assets such as databases
Quantitative risk assessment brings numbers into the equation, analyzes the likelihood of specific threats, and uses pre-determined measurement scales to determine the risks or losses associated with these threats. Measurable and objective data is needed to determine the value of each enterprise’s assets and calculate the probability and risk value. Quantitative assessment is the most thorough method for risk analysis.
The quantitative risk analysis process can be copied by anyone, including an outside source from the company. These outcomes are usually in terms of money and how much an organization can lose. Quantitative risk analysis problem can also be due to insufficient detailed information that is utilized to develop a successful quantitative risk management strategy.
In order to establish the risk and losses associated with threats, quantitive risk assessment brings numbers with analysis based on likelihood. It helps to associate a specific financial amount to each identified risk. However, there is a need of using software tools that would require training for staff, outputs need careful interpretation which needs understanding of statistical principles. The complexity of the process brings challenge while handling takes long time as well.