ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Measuring Risk Quantitatively

Measuring Risk Quantitatively

Benoit Heynderickx, CISA, CRISC
| Published: 8/5/2019 3:03 PM | Category: Risk Management | Permalink | Email this Post | Comments (2)

Quantitative risk has become a growing field of interest for information security professionals. This is good news, as I strongly believe that this is the right approach to perform meaningful information risk assessments.

The first time I discovered quantitative risk was by picking up a book in the library called The Failure of Risk Management.1 The book validated my concerns over the classical approach to risk management for information security that used qualitative indicators such as high, medium and low. As a practitioner of information risk management, I could not hide my disappointment amongst my peers and was really hopeful there might be a better way.

After reading Hubbard’s book, I obtained a master's in information risk, in which I had an enlightening course called quantitative risk analysis. I then decided to bring some quantitative risk concepts to my organization and perform a pilot risk assessment comparing the outcome of both a qualitative and quantitative assessment on the same business application.

The outcome of this pilot risk assessment was shared amongst my peers within my organization, as explained in my ISACA Journal article. A lot of interest was given in my organization from the key stakeholders: business application owners, IT application owners and the chief information security officer (CISO). My model deliberately took a simple probabilistic approach rather than a more advanced one as praised by quantitative experts, as I did not have the necessary time to delve into the realm of probabilistic analysis.

I still feel very passionate about the need to further develop quantitative risk analysis for information security. Quantitative analysis is already used extensively in other fields such as finance, healthcare and insurance, so there is no reason why the same approach cannot be applied to information security.

Read Benoit Heynderickx's recent Journal article:

"Evolving From Qualitative to Quantitative Risk Assessment: A Practitioner’s Dilemma," ISACA Journal, volume 4, 2019.

1 Hubbard, D. W.; The Failure of Risk Management: Why It’s Broken and How to Fix It, Wiley, USA, 2009


Audit Value

I have faced questions during my time of audit asked by organizations how it can be quantified?I did not have proper  answer to give except IT act 2000 Indian regulation.
Rama204 at 8/7/2019 12:27 AM

Applying risk quantification

One of the well-known methodology for risk quantification is FAIR. Nevertheless, risks can be quantified whilst applying an ISO or NIST type risk assessment. In their guidance, these international standards clearly state that risks can be analysed qualitatively or quantitatively.

Quantifying risk is really a matter of giving tangible numbers (i.e. monetary values) to the potential business impacts, rather than High Medium or Low. The maths and stats follow but do not have to be overly complex as I stated in my Article.
Benoit459 at 8/21/2019 10:14 AM