• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Protection of Information Assets

Temple University

Protection of Information Assets

MIS 5206.701 ■ Fall 2022 ■ William Bailey
  • HomePage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit #1: Understanding an Organization’s Risk Environment
      • Unit #2: Case Study 1 – Snowfall and stolen laptop
      • Unit #2: Data Classification Process and Models
      • Unit #3: Risk Evaluation
      • Unit #4 Case #2: Autopsy of a Data Breach: The Target Case
      • Unit #5: Creating a Security Aware Organization
      • Unit #6: Physical and Environmental Security
    • Second Half of the Semester
      • Unit #8 Case Study 3 – A Hospital Catches the “Millennium Bug”
      • Unit #9: Business Continuity and Disaster Recovery Planning
      • Unit #10: Network Security
      • Unit #11: Cryptography, Public Key Encryption and Digital Signatures
      • Unit #12: Identity Management and Access Control
      • Unit #13: Computer Application Security
  • Deliverables
    • Weekly Deliverables
      • “In the News” Articles
      • Answers to Reading Discussion Questions
      • Comments on Reading Discussion Question and Other Students’ Answers
    • Case Studies
    • Team Project
  • Class Capture Videos

Question 3

August 4, 2022 by William Bailey 10 Comments

What challenges are involved in performing a quantitative information security risk analysis?

Filed Under: Unit 01: Understanding an Organization's Risk Environment Tagged With:

Reader Interactions

Comments

  1. Jill Brummer says

    August 21, 2022 at 12:03 pm

    Challenges involved in performing a quantitative information security risk analysis are that the analysis can be expensive due to the time and thoroughness required. It can also be challenging to explain to senior management why an expensive risk analysis can be beneficial, that doesn’t produce revenue. Additionally, the risks in the analysis are hard to assign a dollar amount due to the unknown of the actual event.

    Log in to Reply
  2. David Vanaman says

    August 22, 2022 at 5:51 pm

    The biggest issue with quantitative analysis is right tin the name, you have to be able to quantify what you are evaluating with numbers. There are some things which are easy to quantify such as money or lost time, but other items are much less tangible. Company reputation is something that is hard to put a dollar value to, but is certainly valuable to a company and something to protect against possible harm.

    Other potential pitfalls to a quantitative analysis are values that are in flux – some items may be very valuable only for a short period of time – or items that have different values to different parts of the organization. Quantitative analysis is also time consuming, it takes a large amount of effort to research and assign specific values to every asset and risk.

    Log in to Reply
  3. Nicholas Foster says

    August 22, 2022 at 8:10 pm

    I believe first it is important to define what quantitative analysis is. According to InfoSec Institute (https://resources.infosecinstitute.com/topic/perform-qualitative-quantitative-security-risk-analysis/) Quantitative analysis is about assigning monetary values to risk components. Now that we know how quantitative analysis is defined, we can better understand the challenges in performing a quantitative infosec risk analysis. In chapter 2. “Building a Secure Organization” it states ” IT professionals are generally focused on technology, period. Management is focused on revenue. Concepts such as profitability, asset depreciation, return on investment, realization, and total cost of ownership are the mainstays of management. These are alien concepts to most IT professionals.” If most IT professionals struggle with ROI, depreciation, and total cost of ownership, it’s not a stretch to say they would struggle with correlating dollar signs with infosec risk analysis. Our responsibility as infosec professionals is undeniably to understand the qualitative risk i.e., the CVSS score associated with a zero-day vulnerability and how it impacts our business directly. However, the cost’s associated with said vulnerability (quantitative) are usually only an afterthought if at all depending on the probability of said vulnerability. Not to mention the labor and time involved in ensuring each and every asset is properly indexed and how each asset can be adversely impacted from these events and the monetary loss incurred from such events spans what seem infinitely.

    Log in to Reply
  4. Kenneth Saltisky says

    August 23, 2022 at 5:30 pm

    There are many challenges involved in performing a quantitative information security risk analysis. Quantitative risk analysis requires a strenuous amount of effort to conduct, it can be costly, it can be time-consuming, and it can have a bias if it is an internal analysis. This is due to the process of calculating all the variables of risk being very intensive with the potential of some even being overlooked. Risks can involve a large number of variables that may not necessarily cover all aspects of a risk. In addition, it is more difficult to perform a quantitative assessment on a non-tangible risk, such as reputational damage due to an adverse event. As such, risk analysts need to understand when to perform quantitative, qualitative, or mixed analysis for each designated risk.

    Log in to Reply
  5. Nik Fuchs says

    August 23, 2022 at 9:34 pm

    Challenges include accurately assigning a number to risks and scenarios without fully understanding the potential effects, and finding an agreed upon amount of risk acceptance.

    There are a plethora of information security risks faced by organizations today – all of which can have different effects on a business. The many variables for a single risk can make it difficult for an organization to reduce the risk to a number for analysis. Therefore, this may cause an organization’s risk analysis to be inaccurate or incomplete, leaving the possibility for an additional security risk.

    In completing a quantitative information security risk analysis, an organization must accept a specific amount of risk for the business to tolerate. Coming to agreement on that acceptable risk amount could be a challenge since different parties within a business may want to see different amounts. For example, the finance team may push for an acceptable loss of $0 from security risks since they do not want to lose profit for the business. While the Info Sec team on the other hand understands that security risk is a real possibility and could think a loss of $10,000 is more realistic.

    Log in to Reply
  6. Shepherd Shenjere says

    August 24, 2022 at 12:33 am

    Quantitative information security risk analysis is very extensive and difficult to perform. Some of the major challenges involve complexity, costs, and time consuming. Complexity comes from how long the process takes and when dealing with huge calculations. That then will trigger the process to be longer and expensive and it is even harder to explain to the management.

    Log in to Reply
  7. Samuel Omotosho says

    August 24, 2022 at 5:18 pm

    The major challenge involved in performing a quantitative information risk analysis is the lack of management support and initiative. The reason being that, the tone at the top always dictates how processes will be implemented within any organisation. Secondly, a fallout of the aforementioned is the unavailability of data due the lack of policies and procedures to clearly state roles, responsibilities, procedures and expectations in the risk process to create accurate risk data enterprise -wide. In the absence of all these, certain ingredients such as the risk register, risk awareness, a properly set up risk management program, and the lack of overall asset management processes for validating inherent and residual risk will always exists. All these create problems that prevent organizations from accurately determining the risk posture of an entity.

    Log in to Reply
  8. Matthew Stasiak says

    August 30, 2022 at 12:01 am

    Most risk analyses and audits have a deadline and although I may not be very well experienced in the field they pretty much go into the audit and analysis blind and use whatever tools they have to try and infiltrate the system. This time limit is a massive challenge as they might be only able to collect a certain amount of information in that time limit. They also run into the challenge of getting caught and their entire analysis can become redundant if the problem is solved before they can extract any information.

    Log in to Reply
  9. Maxwell ODonnell says

    September 2, 2022 at 4:05 pm

    The biggest challenge in performing a quantitative information security risk analysis is simply the scope of the analysis. There are no guarantees you will be able to find every single weakness in a system and address all risks, executives may not be willing to pay the price of a potentially inconclusive analysis. It is also difficult to consider all possible risk metrics due to the variability and complexity of the system you are analyzing. One bad risk analysis can potentially discourage upper-level management from willing to authorize future audits.

    Log in to Reply
  10. Abayomi Aiyedebinu says

    September 7, 2022 at 3:03 pm

    Quantitative risk is based on factual data that can be measured mathematically. The outcomes are usually expressed in monetary terms, and they reflect how much the organization may lose as a result of the risk. Due to its measurability the Quantitative risk is an effective tool to perform risk analysis although it has its own flaws in in data flaws because there is insufficiently detailed information to be used to develop a successful quantitative risk strategy and without valid data the results are questionable. That is the reason why the ISO 27001 was implemented as a risk assessment critical for protecting a company’s information security asset against risk and vulnerabilities.

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • Unit 01: Understanding an Organization's Risk Environment (5)
  • Unit 02: Case Study 1 – Snowfall and a stolen laptop (6)
  • Unit 02: Data Classification Process and Models (6)
  • Unit 03: Risk Evaluation (6)
  • Unit 04: Case Study 2 – Autopsy of a Data Breach – The Target Case (3)
  • Unit 05: Creating a Security Aware Organization (6)
  • Unit 06: Physical and Environmental Security (6)
  • Unit 08: Case Study 3 – A Hospital Catches the "Millennium Bug" (2)
  • Unit 09: Business Continuity and Disaster Recovery (6)
  • Unit 10: Network Security (6)
  • Unit 11: Cryptography, Public Key Encryption and Digital Signature (6)
  • Unit 12: Identity Management and Access Control (6)
  • Unit 13: Computer Application Security (6)
  • Welcome (1)

Copyright © 2023 · Course News Pro on Genesis Framework · WordPress · Log in