Risk management is the angular stone of many organizations’ decisional processes. However, information security risk management can sometimes be forsaken. Even though it’s not just about information technology, cyber-risk management is one of the most important risks, and business consequences are behind any cybersecurity incident. That is to say, information security risk management is an important process for all types and sizes of organizations. Implementation of effective risk management allows organizations to help reach their objectives and moreover to define their security strategies.
Proper cyber-risk management will allow identifying risks with a positive view, which could represent a potential gain for the organization. But moreover, it will also allow identifying risks with a negative view, which could represent some form of loss. Usually, organizations will focus on these negative risks within their cyber-risk management program. It is important to understand that all risks cannot be addressed, because of financial capabilities, and capacity restrictions among others. As a result, it is not possible for an organization to reach the “Zero risk” or even to mitigate all risks that could be identified.
Consequently, an organization must switch to an arbitration logic. Based on several pre-defined criteria, the organization must decide how it will address the identified risks. Whether they choose to mitigate those risks by the mean of controls and security measures. Whether they choose to accept, transfer, or even avoid risks by removing their inherent components. Multiple risk treatment options can be chosen to address the risks.
Nevertheless, in order to choose the right risk treatment, the risk management process should be consistent. Properly identifying, analyzing risks, and defining the risk treatment plan can be performed by the mean of different approaches.
Qualitative versus quantitative risk approaches
The goal of a risk assessment is to identify risks and assess their criticality in order to obtain a proper view of which risks are the most impacting the organization and should therefore be addressed in priority. As a result, there are two common approaches that are used widely within organizations.
Qualitative risk analysis
On the one hand, the qualitative risk analysis is based on scales, more subjective, but easier to understand. Subjective scales are used to evaluate risks, costs, and effects. This approach assigns subjective and intangible values to the risk impacts. It uses a simple matrix crossing risks and impacts. Although the subjective nature of the assessment, a good knowledge of the organization and competences from the risk assessors are required to assign relevant values.
Quantitative risk analysis
On the other hand, the quantitative risk analysis is based on figures (financial, statistical elements), and can be more complex. It requires history and a good information base to define the context in which the organization is evolving and in fine the probability that an attacker would be interested to target the organization. As against the qualitative approach, the quantitative approach assigns real financial values to the risk impacts and is based on mathematical calculations. We can sum up this approach as the assignment of financial values to the organizational assets, the potential loss due to the realization of a risk as well as the probability for a risk to occur. Mathematical calculations are used to assess the financial loss resulting from the realization of a risk.
Organizations can choose one approach or another, or even implement a hybrid approach. Which consists in complementing a qualitative approach with the base of information representative of a quantitative approach.
Overall, qualitative approaches outline the risk severity on a broad area of interest and are usually less time-consuming. However, its added value mainly relies on the competences and knowledge of the risk assessors. Meanwhile, the quantitative approach is more suitable for organizations that require financial data to make appropriate decisions, yet it requires more information and time. Quantitative risk assessment usually relies on software/tools to support the process.
Quantitative risk approach challenges
Assurance companies, banks and industry often benefit the most from quantitative risk management approaches since decision making is best supported by financial data. However, they can be reticent to implement this approach due to the time, complexity and lack of adequate software or tools required. Citalid, which will be discussed hereinafter, is a good solution to address these challenges. It provides comprehensive and complete software for quantitative risk management which can be implemented and managed on-premises or integrated on the “As a Service” model.
Citalid works on three sets of data:
- an industry sector analysis,
- the risk scenarios analysis,
- and the security profiles.
The industry sector analysis identifies the relevance of attacks on the targeted scope of assets. It improves the establishment of the threat landscape based on the different operating modes of attacks (based on the MITRE ATT&CK framework), and their likelihood of occurrence (using Data Lake Citalid).
Risk scenarios analysis defines different risk scenarios based on their inherent financial loss and the successful attack frequency. It is the central point of the analysis by identifying which risk the organization should consider and what are their potential of realization.
Finally, the defensive security profile identifies the maturity level of the organization in terms of controls and thus its ability to challenge potential attacks.
Then, Citalid automates the simulation of each risk scenario, by aggregating the risk scenarios with the industry sector analysis and confronting this data set with the organization’s security profile. Automatically generated dashboards are then created to allow for a concrete view of analyzed risks with their prioritization, related financial data and proposal of a risk treatment plan for the organization.
The main advantage of this solution is the use of Data Lake Citalid. It collects and processes multiple sources of data (such as security solutions editors reports, CTI flows, social networks, etc.) to identify the relevancy of the operating modes of attacks. The correlation of this set of information provides objective factors, permitting to complement the risk scenarios analysis with factual context information.
All in all, a quantitative risk management approach requires a large set of information to get accurate and relevant results. Furthermore, the mathematical calculations can be complicated, and the use of appropriate software is a must-have to perform the analysis. To optimize your initiative for quantifying cyber risks, the use of solutions such as Citalid will integrate and automate all these elements and provide your organization with an easily manageable platform, but you should also rely on the support from information security professionals mastering risk management through quantitative approaches.
Did you like this new article addressing the importance of information security risk management? Let us know and find more articles related to risk management” in our blog section.