Blog

Quantitative Vs Qualitative Cyber Risk Management Approach

SANTHOSH KUMAR , DR. GRIGORIOS FRAGKOS Nov. 30, 2020
Follow Digital14 thought leaders, news, and alerts.
LinkedIn
Twitter
RSS

Introduction to Cyber Risk Management

There is always a certain level of inherent risk when operating any organisation. Given the fact that it is not possible to completely eradicate business risk, appropriate risk management efforts need to be in place to reduce your exposure to risk to an acceptable level. With most organisations going through a digital transformation, to unlock competitive advantage in their respective markets, additional risk is inevitably introduced and accumulated across the whole spectrum of operations. 

The risks that could compromise the confidentiality, integrity and availability of sensitive information, products and services are categorised as risk(s) related to cybersecurity, or as commonly referred to as cyber risks (such as cyber risks identified through the UAE IA Standards assessment). Organisations could manage these cyber risks through a focused approach in a qualitative or quantitative manner. Let us have a look at what these approaches are, list their benefits and limitations, and see which could be considered the best-suited approach for your organisation.

Qualitative Approach

Currently, most organisations utilise the qualitative approach to manage cyber risks. Cyber risks need to be handled with a concentrated approach to reduce exposure to acceptable levels. In the qualitative approach, rating scales (e.g. Low-High, 1-3, etc.) are utilised to calculate the impact and likelihood to the organisation if the risk is materialised. A product of these two factors is plotted in a graph to depict the severity or rating of the risk in question. The risk rating is represented as a heat map (Figure 1) which makes it easy to follow and understand by stakeholders and senior management for assisting with decision making in the risk response related efforts. The best way to take on qualitative risk analysis is to break it down into smaller steps that involve:

  1. Identifying Risks

  2. Impact Analysis (including likelihood)

  3. Risk Treatment

  4. Review & Monitor

Usually, there is a strong misconception that this is a quantitative approach to risk management given the usage of predefined numbers to evaluate risk scales, impact and likelihood statements. The quantitative approach to risk management is different, and it is discussed in detail later on. 


Risk Rating

 

Impact

Likelihood

Low

Medium

High

High

Low

Medium

High

Medium

Low

Medium

Medium

Low

Low

Low

Low

Figure 1 – Sample Qualitative Risk Heat Map


There are some advantages and disadvantages of the qualitative approach to cyber risk management which we’ve outlined below.

Benefits

  • Best fit for a less matured organisations. Organisations that might not have most of its assets quantified in figures depicted in the local currency, such as Dirham.

  • Relatively simple to utilise and reach risk values. Less effort is required to perform risk assessments and manage risks.

  • An effective tool for communicating risks, alignment, and understanding to relevant stakeholders to arrive at risk mitigation decisions quickly. Scope for incorporating professional judgement is included in this approach to arrive at risk values.

Limitations

  • There is increased difficulty to communicate the risk in quantified terms (e.g. Dirham figures) to the senior management.

  • Inconsistent and inaccurate results may be produced as the risk ratings are highly dependent on the experience, expertise and competency of the risk assessor.

  • There is an increased tendency to inflate risk by considering a conservative approach, i.e. better to have a higher risk and be on the safer side rather than having a lower risk and take accountability of a possible risk materialisation.

  • Inability to prioritise risks within the same risk category, i.e. all risks with a medium risk rating will have the same level of prioritisation for risk treatment efforts.

  • Inability to perform an accurate cost-benefit analysis to decide on the risk treatment options.

  • Stakeholders might revise the risk rating with a tendency to lower risk ratings, without any supporting data points other than adjusting risk tolerance and risk appetite.

  • There is the additional effort required to map third-party cyber security assessment findings to “match” its internal risk management framework and risk prioritisation activities.

  • Incapable of producing accurate results through data analytics as the core data is based on relative scales and not data points.

This approach best suits organisations that operate in low-risk environments that are less dependent on technology for their core business operations, and have less-mature cybersecurity practice. At the same time, it needs to be clear that the qualitative analysis of the risk environment provides the necessary clarity to prioritise tasks quickly and cost-effectively without having to dive into severe logistical and financial challenges that a quantitative model would otherwise require. 

Quantitative Approach

The quantitative approach to cyber risk management involves numerical values for asset valuation as well as the calculation of risk factors (Impact and Likelihood). These values would not be relative scales and would generally be based on asset values and mathematical equations (Figure 2). 

The final risk assessment report has currency figures for risk levels, potential loss and cost of mitigation controls. This facilitates effective and unambiguous risk related discussions and decisions. This also improves the accuracy of the risk-ratings as these are based on data points and not on relative scales. In other words, conducting a quantitative risk analysis requires:

  1. High-quality data 

  2. A well-developed project model 

  3. A prioritised lists of project risks (usually from performing a qualitative risk analysis beforehand)

Effectively, the quantitative risk analysis should be in a position to quantify the possible outcomes and assess the probability of achieving specific objectives, contribute to the decision making process when there is uncertainty, and last but not least, create realistic and achievable cost/schedule/scope targets.



Asset Value
(AV)

Exposure Factor (EF)

Impact
(SLE = AV*EF)

Likelihood (ARO)

Risk value
(ALE = SLE*ARO)

200,000 AED

60%

120,000 AED

20%

24,000 AED

Asset Value (AV): Monetary value for each asset.

Exposure Factor (EF): Percentage of loss that an organisation would experience if a specific asset were violated by a realised risk.

Single Loss Expectancy (SLE): Cost associated with a single realised risk against a specific asset.

Annualised Rate of Occurrence (ARO): Expected frequency with which a specific threat or risk will occur within a single year.

Annualised Loss Expectancy (ALE): Possible yearly cost of all instances of a specific realised threat against a specific asset.

Figure 2 – Sample Quantitative Risk Calculation

However, there are advantages and disadvantages with the quantitative approach when it comes to cyber risk management which we’ve outlined below.

Benefits

  • The ability to communicate the risk in quantified terms (e.g. Dirham figures) to the senior management.

  • Consistent and accurate results are produced as the risk ratings are based on data points (less dependent on the risk assessor’s competency and experience).

  • The representation of risk in actual values, and the elimination of any requirement for adjusting risk ratings to relative scales.

  • Accurate prioritisation of risk treatment efforts as each risk would have a unique (mostly) value and not grouped together under similar ratings.

  • The ability to perform an accurate cost-benefit analysis to determine risk treatment options as the risk values are based on local currency figures.

  • Improved ability to defend risk ratings with stakeholders as the risk values are based on data points.

  • Effective data analytics on the cybersecurity risks is possible as the risk values are based on actual data points.

Limitations

  • An up-to-date and accurate assets (including systems and information) inventory is a prerequisite for this approach, and it would require considerable efforts to build and maintain.

  • The additional requirement to quantify all assets in local currency figures.

  • Inability to clearly communicate a risk narrative or the big picture to the senior management.

  • Limited scope for incorporating professional judgement to arrive at risk values (certain risks are subjective in nature and require expert opinions to be considered).

This approach best suits organisations that operate in high-risk environments that are more dependent on technology for their core business operations, and have a mature (or at least well-established) cybersecurity practice. The nature of the quantitative risk analysis expects to dive into logistical challenges and financial data points as it uses that data to produce a value to measure the acceptability of a risk event outcome.

Summary

It goes without question that there are advantages and disadvantages to both approaches (Table 1). The qualitative approach enables a clear and descriptive narration of cyber risks, while the quantitative approach provides accurate risk values for detailed analysis and further considerations.

Table 1 – Qualitative vs Quantitative (comparative summary)

Qualitative

Quantitative

Subjective evaluation of probability and impact

Probabilistic and objective estimation of time, cost, scope

Focused at risk-level 

Focused at task/project-level

Broader use across all identified risks

Limited use; Dependent on type of project, risk type, and data availability.

Less time-consuming and straightforward

Time-consuming and potential cost associated

No investment for specialised S/W is necessary 

May require the use of specialised S/W tools

Does not require significant amount of data

Requires significant amount of data

Does not utilise cost benefit analysis to finalise risk treatments

Utilises cost benefit analysis to finalise risk treatments

Requires a certain level of work which is based on the security assessor’s expertise and previous experience in order to arrive at risk ratings.

Requires meticulous work which is based on the security assessor’s expertise and previous experience in order to provide an accurate depiction of risks in terms of value.

Despite the fact both approaches have their pros and cons, they are not meant to compete with each other as to which is “best”, but rather which one is best suited given the challenge(s) at hand. After all, they are both two very important risk management tools of the larger risk management process, which in many cases complement each other. 

Even though there is no clear cut “winner” when it comes to these two approaches, the lack of either of these approaches results in ineffective cyber risk management with potentially devastating results for an organisation. 

A combined framework utilising the best attributes of both these approaches would be the ideal candidate for effective and efficient cyber risk management. Organisations can reach out to cyber risk management consultants to establish an effective cyber risk management framework that is both flexible and bespoke to match their particular requirements.


To learn more, visit Digital14.com today.