Best Practices for Quantitative and Qualitative Risk Assessment

Many organizations prefer to do a quantitative risk assessment because it aligns the financial impact of risk so that a return on investment (ROI) or cost-benefit analysis and justification can be presented to management. Many organizations use this quantitative risk assessment to assist in creating budgets for information security controls and security countermeasures. As these controls and countermeasures are implemented, the overall risk is mitigated to the organization's minimum acceptable level of risk. Quantitative risk assessments require accurate IT asset inventories, accurate IT asset valuations, and a consistent method for defining exposure factors for known threats.

For those organizations that do not have accurate IT asset inventory documentation or financial data, conducting a qualitative risk assessment for IT assets is a quick and easy way to prioritize IT assets and their exposure to known threats and vulnerabilities. This still accomplishes the same goal as the quantitative risk assessmentto identify IT assets, prioritize them based on importance to the organization, and assess the risk of known threats and vulnerabilities and their likelihood of occurrence. Either risk-assessment approach will allow an organization to make sound business decisions pertaining to the prioritization and investment of funds towards security controls and security countermeasures.

Quantitative Risk-Assessment Best Practices

When performing a quantitative risk assessment, the following best practices should be followed to maintain accuracy and consistency in the calculations of the AV, EF, SLE, ARO, and ALE:

  1. Determine the Asset Value (AV) for each IT asset by identifying the purchase price, incorporating labor, maintenance, and support, and the value of any data assets.
  2. Define a consistent scale for the Exposure Factor (EF). Build a table with the threats and vulnerabilities ranked from high to low. This table will act as a consistent EF table for all IT assets. Be sure to define all assumptions and justify your assumptions with supporting historical trends or data.
  3. When calculating Single Loss Expectancy (SLE), verify and validate that your business liability and insurance policy can cover a single occurrence of that IT asset being compromised in a calendar year.
  4. Define the Annualized Rate of Occurrence (ARO). Depending on what the threat or vulnerability is, use historical data going back in time to get a history or feel for rate of occurrence. For example, how many times has the organization been attacked by a virus, worm, or Trojan in the past five years? This type of data will assist in defining the ARO value for malicious code and malicious software attacks on the organization. Build a table of ARO values for the different threats or vulnerabilities to maintain consistent ARO values. Be sure to define all assumptions and justify your assumptions with supporting historical trends or data.
  5. When calculating the Annualized Loss Expectancy (ALE), use this value tojustify the cost of investment in security controls and security countermeasures. This ALE investment value is typically used as a cost-benefit justification to invest in proper security controls and security countermeasures to achieve the confidentiality, integrity, and availability goals.

Qualitative Risk-Assessment Best Practices

When you perform a qualitative risk assessment, use the following best practices to maintain accuracy and consistency in assessing the IT assets risk exposure:

  1. List all of the organization's critical IT assets in a spreadsheet.
  2. Specify the critical threats and vulnerabilities for each IT asset in the spreadsheet. Remember, there may be more than one critical threat or vulnerability for a given IT asset.
  3. Develop a consistent exposure severity scale for each asset and its known threats and vulnerabilities. This exposure severity scale should cover critical, high, medium, and low exposure and be assigned accordingly to the IT asset and the specific threat or vulnerability that can be exploited.
  4. Organize and prioritize the risk-assessment results from the most critical IT assets and critical exposures first. This will immediately bring to the top those IT assets that have the greatest risk to exploitation from a threat or vulnerability.
  5. Prioritize the investment of funds for security controls and security countermeasures for those IT assets that have the greatest importance to the organization with the greatest exposure to risk.
  6. Ensure that the organization's critical IT assets achieve the appropriate confidentiality, integrity, and availability goals and objectives.

Категории