Quantitative Risk Assessments: Bridging the Gap between IT and Business

Running a business is complicated and stressful. Management can often feel like the Greek mythological titan named Atlas who was condemned to balance the entire world.

When management is approached by an IT professional who says there is a “medium” risk on a server within the organization, “medium” might not sound too bad compared to everything else going on. After management decides to forgo funding for a cybersecurity fix, IT professionals often leave frustrated that they are knowingly leaving a security vulnerability on an important server. What can be done to avoid this misunderstanding?

Think about what causes miscommunication. I lived in South America for 2 years where I had little interaction with people who spoke English as their first language. I learned Spanish well, but some phrases just did not translate how I thought they would. You learn Spanish thinking “Lo siento = sorry” and “No importa = Never mind.” However, the cultures and language are so different that those translations do not work all the time. This often caused confusion or even offense at times—not because I was intentionally being mean but because I was still learning the language.

Similarly, IT professionals and upper management often have a hard time understanding each other perfectly. Looking at the two backgrounds, we see that an IT professional does not always speak business strategy while Management does not always speak cyber. One common background, however, is money. What if we came together in a common language—money-talk?

What is Quantitative Risk Assessment (QRA)?

Just as Google Translate can be used to translate French to German, QRAs can be used to translate threats, vulnerabilities, and risks to money-talk. We use QRAs to estimate risk in financial terms.

An advantage of a QRA is its ability to compare and prioritize risks to the company. A quantitative risk assessment spits out monetary values for each risk. This makes comparing two risks (even from different departments or different threat areas) much easier. Even comparing security risks with other business decisions is possible if we speak in money-talk.

Another way data security risks can be compared is by creating hypothetical situations to see where money should be spent in order to maximize the Return on Investment (ROI). The hypothetical situations are basically a way to estimate the amount of money required to make a certain change, and then how much the risk would decrease by implementing that change. For example, a QRA might show us that making a $100,000 investment only reduces the Annualized Loss Expectancy (ALE) by $5,000 per year. In this case, spending the money to implement the security control will most likely not be worth the money.

Should I sell my house and boat to move to Quantitative Risk Assessments?

I love Quantitative Risk Assessments just as much as anyone else, but there is still value in a qualitative approach to data risk assessments.

Some pitfalls of a purely quantitative risk assessment might include:

• Missing some risks. There is some effort involved in trying to quantify every risk. Sometimes risks can get left out because they are not easily quantifiable.
• Relying entirely on the numbers. As with any risk-based assessment, the results help us make informed decisions—but they do not make the decisions for us.

So no, I would not recommend selling your house and boat. But if you are aware of these pitfalls, you can rely on a QRA to help protect your business. If you have the resources, try performing both a qualitative and a quantitative risk assessment to see what interesting results you find.