Challenges involved in performing a quantitative information security risk analysis are that the analysis can be expensive due to the time and thoroughness required. It can also be challenging to explain to senior management why an expensive risk analysis can be beneficial, that doesn’t produce revenue. Additionally, the risks in the analysis are hard to assign a dollar amount due to the unknown of the actual event.
The biggest issue with quantitative analysis is right tin the name, you have to be able to quantify what you are evaluating with numbers. There are some things which are easy to quantify such as money or lost time, but other items are much less tangible. Company reputation is something that is hard to put a dollar value to, but is certainly valuable to a company and something to protect against possible harm.
Other potential pitfalls to a quantitative analysis are values that are in flux – some items may be very valuable only for a short period of time – or items that have different values to different parts of the organization. Quantitative analysis is also time consuming, it takes a large amount of effort to research and assign specific values to every asset and risk.
I believe first it is important to define what quantitative analysis is. According to InfoSec Institute (https://resources.infosecinstitute.com/topic/perform-qualitative-quantitative-security-risk-analysis/) Quantitative analysis is about assigning monetary values to risk components. Now that we know how quantitative analysis is defined, we can better understand the challenges in performing a quantitative infosec risk analysis. In chapter 2. “Building a Secure Organization” it states ” IT professionals are generally focused on technology, period. Management is focused on revenue. Concepts such as profitability, asset depreciation, return on investment, realization, and total cost of ownership are the mainstays of management. These are alien concepts to most IT professionals.” If most IT professionals struggle with ROI, depreciation, and total cost of ownership, it’s not a stretch to say they would struggle with correlating dollar signs with infosec risk analysis. Our responsibility as infosec professionals is undeniably to understand the qualitative risk i.e., the CVSS score associated with a zero-day vulnerability and how it impacts our business directly. However, the cost’s associated with said vulnerability (quantitative) are usually only an afterthought if at all depending on the probability of said vulnerability. Not to mention the labor and time involved in ensuring each and every asset is properly indexed and how each asset can be adversely impacted from these events and the monetary loss incurred from such events spans what seem infinitely.
There are many challenges involved in performing a quantitative information security risk analysis. Quantitative risk analysis requires a strenuous amount of effort to conduct, it can be costly, it can be time-consuming, and it can have a bias if it is an internal analysis. This is due to the process of calculating all the variables of risk being very intensive with the potential of some even being overlooked. Risks can involve a large number of variables that may not necessarily cover all aspects of a risk. In addition, it is more difficult to perform a quantitative assessment on a non-tangible risk, such as reputational damage due to an adverse event. As such, risk analysts need to understand when to perform quantitative, qualitative, or mixed analysis for each designated risk.
Challenges include accurately assigning a number to risks and scenarios without fully understanding the potential effects, and finding an agreed upon amount of risk acceptance.
There are a plethora of information security risks faced by organizations today – all of which can have different effects on a business. The many variables for a single risk can make it difficult for an organization to reduce the risk to a number for analysis. Therefore, this may cause an organization’s risk analysis to be inaccurate or incomplete, leaving the possibility for an additional security risk.
In completing a quantitative information security risk analysis, an organization must accept a specific amount of risk for the business to tolerate. Coming to agreement on that acceptable risk amount could be a challenge since different parties within a business may want to see different amounts. For example, the finance team may push for an acceptable loss of $0 from security risks since they do not want to lose profit for the business. While the Info Sec team on the other hand understands that security risk is a real possibility and could think a loss of $10,000 is more realistic.
Quantitative information security risk analysis is very extensive and difficult to perform. Some of the major challenges involve complexity, costs, and time consuming. Complexity comes from how long the process takes and when dealing with huge calculations. That then will trigger the process to be longer and expensive and it is even harder to explain to the management.
The major challenge involved in performing a quantitative information risk analysis is the lack of management support and initiative. The reason being that, the tone at the top always dictates how processes will be implemented within any organisation. Secondly, a fallout of the aforementioned is the unavailability of data due the lack of policies and procedures to clearly state roles, responsibilities, procedures and expectations in the risk process to create accurate risk data enterprise -wide. In the absence of all these, certain ingredients such as the risk register, risk awareness, a properly set up risk management program, and the lack of overall asset management processes for validating inherent and residual risk will always exists. All these create problems that prevent organizations from accurately determining the risk posture of an entity.
Most risk analyses and audits have a deadline and although I may not be very well experienced in the field they pretty much go into the audit and analysis blind and use whatever tools they have to try and infiltrate the system. This time limit is a massive challenge as they might be only able to collect a certain amount of information in that time limit. They also run into the challenge of getting caught and their entire analysis can become redundant if the problem is solved before they can extract any information.
The biggest challenge in performing a quantitative information security risk analysis is simply the scope of the analysis. There are no guarantees you will be able to find every single weakness in a system and address all risks, executives may not be willing to pay the price of a potentially inconclusive analysis. It is also difficult to consider all possible risk metrics due to the variability and complexity of the system you are analyzing. One bad risk analysis can potentially discourage upper-level management from willing to authorize future audits.
Quantitative risk is based on factual data that can be measured mathematically. The outcomes are usually expressed in monetary terms, and they reflect how much the organization may lose as a result of the risk. Due to its measurability the Quantitative risk is an effective tool to perform risk analysis although it has its own flaws in in data flaws because there is insufficiently detailed information to be used to develop a successful quantitative risk strategy and without valid data the results are questionable. That is the reason why the ISO 27001 was implemented as a risk assessment critical for protecting a company’s information security asset against risk and vulnerabilities.
Jill Brummer says
Challenges involved in performing a quantitative information security risk analysis are that the analysis can be expensive due to the time and thoroughness required. It can also be challenging to explain to senior management why an expensive risk analysis can be beneficial, that doesn’t produce revenue. Additionally, the risks in the analysis are hard to assign a dollar amount due to the unknown of the actual event.
David Vanaman says
The biggest issue with quantitative analysis is right tin the name, you have to be able to quantify what you are evaluating with numbers. There are some things which are easy to quantify such as money or lost time, but other items are much less tangible. Company reputation is something that is hard to put a dollar value to, but is certainly valuable to a company and something to protect against possible harm.
Other potential pitfalls to a quantitative analysis are values that are in flux – some items may be very valuable only for a short period of time – or items that have different values to different parts of the organization. Quantitative analysis is also time consuming, it takes a large amount of effort to research and assign specific values to every asset and risk.
Nicholas Foster says
I believe first it is important to define what quantitative analysis is. According to InfoSec Institute (https://resources.infosecinstitute.com/topic/perform-qualitative-quantitative-security-risk-analysis/) Quantitative analysis is about assigning monetary values to risk components. Now that we know how quantitative analysis is defined, we can better understand the challenges in performing a quantitative infosec risk analysis. In chapter 2. “Building a Secure Organization” it states ” IT professionals are generally focused on technology, period. Management is focused on revenue. Concepts such as profitability, asset depreciation, return on investment, realization, and total cost of ownership are the mainstays of management. These are alien concepts to most IT professionals.” If most IT professionals struggle with ROI, depreciation, and total cost of ownership, it’s not a stretch to say they would struggle with correlating dollar signs with infosec risk analysis. Our responsibility as infosec professionals is undeniably to understand the qualitative risk i.e., the CVSS score associated with a zero-day vulnerability and how it impacts our business directly. However, the cost’s associated with said vulnerability (quantitative) are usually only an afterthought if at all depending on the probability of said vulnerability. Not to mention the labor and time involved in ensuring each and every asset is properly indexed and how each asset can be adversely impacted from these events and the monetary loss incurred from such events spans what seem infinitely.
Kenneth Saltisky says
There are many challenges involved in performing a quantitative information security risk analysis. Quantitative risk analysis requires a strenuous amount of effort to conduct, it can be costly, it can be time-consuming, and it can have a bias if it is an internal analysis. This is due to the process of calculating all the variables of risk being very intensive with the potential of some even being overlooked. Risks can involve a large number of variables that may not necessarily cover all aspects of a risk. In addition, it is more difficult to perform a quantitative assessment on a non-tangible risk, such as reputational damage due to an adverse event. As such, risk analysts need to understand when to perform quantitative, qualitative, or mixed analysis for each designated risk.
Nik Fuchs says
Challenges include accurately assigning a number to risks and scenarios without fully understanding the potential effects, and finding an agreed upon amount of risk acceptance.
There are a plethora of information security risks faced by organizations today – all of which can have different effects on a business. The many variables for a single risk can make it difficult for an organization to reduce the risk to a number for analysis. Therefore, this may cause an organization’s risk analysis to be inaccurate or incomplete, leaving the possibility for an additional security risk.
In completing a quantitative information security risk analysis, an organization must accept a specific amount of risk for the business to tolerate. Coming to agreement on that acceptable risk amount could be a challenge since different parties within a business may want to see different amounts. For example, the finance team may push for an acceptable loss of $0 from security risks since they do not want to lose profit for the business. While the Info Sec team on the other hand understands that security risk is a real possibility and could think a loss of $10,000 is more realistic.
Shepherd Shenjere says
Quantitative information security risk analysis is very extensive and difficult to perform. Some of the major challenges involve complexity, costs, and time consuming. Complexity comes from how long the process takes and when dealing with huge calculations. That then will trigger the process to be longer and expensive and it is even harder to explain to the management.
Samuel Omotosho says
The major challenge involved in performing a quantitative information risk analysis is the lack of management support and initiative. The reason being that, the tone at the top always dictates how processes will be implemented within any organisation. Secondly, a fallout of the aforementioned is the unavailability of data due the lack of policies and procedures to clearly state roles, responsibilities, procedures and expectations in the risk process to create accurate risk data enterprise -wide. In the absence of all these, certain ingredients such as the risk register, risk awareness, a properly set up risk management program, and the lack of overall asset management processes for validating inherent and residual risk will always exists. All these create problems that prevent organizations from accurately determining the risk posture of an entity.
Matthew Stasiak says
Most risk analyses and audits have a deadline and although I may not be very well experienced in the field they pretty much go into the audit and analysis blind and use whatever tools they have to try and infiltrate the system. This time limit is a massive challenge as they might be only able to collect a certain amount of information in that time limit. They also run into the challenge of getting caught and their entire analysis can become redundant if the problem is solved before they can extract any information.
Maxwell ODonnell says
The biggest challenge in performing a quantitative information security risk analysis is simply the scope of the analysis. There are no guarantees you will be able to find every single weakness in a system and address all risks, executives may not be willing to pay the price of a potentially inconclusive analysis. It is also difficult to consider all possible risk metrics due to the variability and complexity of the system you are analyzing. One bad risk analysis can potentially discourage upper-level management from willing to authorize future audits.
Abayomi Aiyedebinu says
Quantitative risk is based on factual data that can be measured mathematically. The outcomes are usually expressed in monetary terms, and they reflect how much the organization may lose as a result of the risk. Due to its measurability the Quantitative risk is an effective tool to perform risk analysis although it has its own flaws in in data flaws because there is insufficiently detailed information to be used to develop a successful quantitative risk strategy and without valid data the results are questionable. That is the reason why the ISO 27001 was implemented as a risk assessment critical for protecting a company’s information security asset against risk and vulnerabilities.