My organization is looking to settle on a specific risk analysis method. Could you explain a few of the different...
risk analysis methodologies and discuss which ones would work better in certain situations/for certain enterprises?
A risk assessment identifies, evaluates and measures the probability and severity of risks, and forms the foundation of an effective enterprise risk management program. It is often mandated by regulatory requirements such as the Sarbanes-Oxley Act and PCI DSS, as it enables an organization to make an informed decision on how best to manage the risks that have been identified. Although ISO 27005, an international standard providing guidelines for information risk management, outlines a generic risk assessment process, it leaves the choice of that process to the business. There are a number of different risk analysis methodologies available for enterprises. For organizations that have not yet undertaken a risk assessment, it is best to start with a qualitative assessment, as that is easier to complete.
Qualitative risk analysis categorizes potential risks based on either nominal or ordinal scales; for example, the risk rating of the company's customer database being successfully hacked could be 5 or 7; the actual score is calculated by multiplying the probability and impact values determined during the risk assessment process.
Quantitative risk analysis (QTRA) is more rigorous and aims to be more objective in terms of costs by using techniques such as benchmarking and probabilistic and nonprobabilistic modeling. In QTRA, the overall cost impact is calculated so, using the example above, the cost of a data breach may be estimated to be $147 per customer record. This risk analysis method requires a greater level of detailed data to support the threat and trend analysis, such as transaction errors, number of malware infections, and equipment failures, as well as externally sourced statistics like breaches suffered by peer organizations.
However, measuring the level of risk an organization faces is a big undertaking. It is best to split risk assessments into defined areas of the business. This could be a physical location, such as a call center, or a business process, such as order fulfillment. For those organizations lacking in-house expertise, there are various options. The OCTAVE Allegro risk analysis method from CERT provides free resources to perform a risk assessment. It is an asset-focused method primarily intended as a qualitative assessment, although it can be used for simple quantitative analysis. Threats and impacts are considered in light of real-world scenarios to identify risks, which are then prioritized and mitigations planned according to qualitative risk measurement criteria specific to the organization's drivers and objectives. The Microsoft Security Assessment Tool is another free tool that can help build a business risk profile by measuring a company's risk of doing business based on its industry and business model.
NIST SP 800-30 is the U.S. government's preferred risk assessment methodology, and is mandated for U.S. government agencies. It features a detailed, step-by-step process from the initial stages of preparing for an assessment through to conducting it and managing the results. The methodology should be usable by organizations of all sizes, in both the private and public sectors. Organizations where legal and regulatory compliance is a priority should consider ISACA's COBIT 5. It is a comprehensive governance and enterprise IT management framework that includes risk assessment. However, it will require a significant investment of time and skilled personnel to implement.
To generate a risk profile that reflects a view of information risk in business terms, a tool such as Information Security Forum's Information Risk Assessment Methodology 2 is an option. Its Risk Analyst Workbench tool helps with the business impact assessment, threat and vulnerability assessment, and control selection. Other commercial tools such as vsRisk and RM Studio come with threat and related vulnerability libraries and tools to calculate the risks to each asset. Documenting all the threats and quantifying the associated risks, even for a small office or basic process, usually takes a few weeks and can last up to several months for more complex, regulated businesses. Before selecting a specific risk analysis method and beginning a risk assessment, ensure senior management understands the time and resources required to complete it.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Read more on conducting risk management for third parties
Find out how the latest technology is changing how global risk assessments are performed
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading