How to Conduct a Quantum Risk Assessment Using ISACA’s Risk IT Framework

Could organizational encrypted customer data be at risk before quantum computing becomes mainstream? The answer is absolutely, especially as Q-Day approaches. Q-Day refers to the moment when quantum computers become powerful enough to break today’s encryption.

Attackers are not waiting; they are already capturing encrypted financial data today, planning to decrypt it once quantum capabilities mature. This “harvest now, decrypt later” threat has become a concern. In parallel, the National Institute of Standards and Technology (NIST) has finalized its Post-Quantum Cryptography (PQC) standards, encouraging organizations to begin planning their transitions now.

Using the fictitious financial institution, Metrobank, this quantum risk assessment (QRA) walkthrough demonstrates how to translate quantum risk from an abstract future threat into a practical, actionable program. This approach is aligned with NIST's PQC standards and structured through ISACA’s Risk IT Framework^©.

Introduction

The financial institution, MetroBank, is taking the post-quantum threat seriously. The bank's executive team launched a QRA using ISACA’s Risk IT Framework. Their objectives included:

1. Identify critical systems that quantum threats could impact.
2. Quantify the likelihood and business impact of those threats.
3. Develop a risk response roadmap aligned with NIST guidance and MetroBank’s own risk appetite.
4. Integrate quantum considerations into daily operations and align them with broader organizational risk practices.

Step 1: Risk Governance – Define the Mission

The Governance domain of the Risk IT Framework sets the strategic direction for managing quantum risk, ensuring decisions align with organizational goals and risk appetite through leadership and policy.

Key Questions:

• Which systems store our most sensitive data?
• What deadline ensures migration before Q‑Day?
• Who will be accountable for driving and reporting progress?

Activities:

1. Scope assets—Identify high‑value systems (e.g., customer databases, loan platforms, payment engines).
2. Set risk appetite with the board—For example, MetroBank decided it will not allow RSA‑2048 exposure for sensitive data beyond 36 months after NIST PQC approval.
3. Establish accountability—Create a quantum readiness task force, appoint a quantum risk lead, and schedule monthly reviews.
4. Update policies and contracts—Require all new technology to support NIST PQC and mandate vendor compliance certificates.
5. Promote awareness—Conduct executive briefings, staff training, and tabletop exercises to embed a quantum‑risk culture.

Step 2: Risk Evaluation – Quantify the Threats

The Evaluation domain in the Risk IT Framework provides a method to identify, assess and prioritize quantum-specific risk based on technical vulnerabilities and business impacts. This prioritization ensures that mitigation efforts are focused on where they matter most.

Key Questions

• Which attack scenarios could cause the most financial or reputational damage?
• How long must our data remain confidential before PQC migration completes?
• Are our migration timelines realistic compared to projected Q-Day?

Activities

1. Create a Cryptographic Inventory
   • Catalog systems using cryptography (RSA or ECC) and classify data (x) by sensitivity (e.g., personally identifiable information (PII), trade secrets).Assign retention periods to the data e.g., mortgage records (x = 15 years), transaction logs (x = 7 years).
2. Set Timing Benchmarks (y & z)
   • o (y) value—Migration time to post-quantum cryptography (PQC) (e.g., legacy loan system = 18 months).
   • o (z) value—Collapse time (Q Day) forecast (e.g., 2029 from IBM’s 1,000 qubit roadmap).
   • Action threshold—Prioritize assets where x+y>z.
     Example: Mortgage records (x=15) + migration (y=1.5) = 16.5 years > z=2029 → High priority.
3. Define Quantum Threat Scenarios, such as:
   • Harvest now, decrypt later—Malicious actors steal encrypted archives (e.g., intellectual property (IP), health records) with >5–10-year sensitivity for future quantum decryption.
   • Real-time payment tampering—Shor’s algorithm breaks transport layer security/secure sockets layer (TLS/SSL) encryption to alter transactions mid-transit.
   • Insider exfiltration of backups—Malicious actors steal encrypted backups for later quantum decryption.
   • Cloud key management gaps—Multi-cloud key management as a service (KMaaS) misconfigurations expose keys to quantum decryption.
4. Calculate ALE (Annualized Loss Expectancy)
   • Single Loss Expectancy (SLE) = Asset Value × Exposure Factor
   • Asset Retirement Obligations (ARO) = Annual likelihood
   • ALE = SLE × ARO
     Example: $100M asset × 50% × 20% = $10M/year.
5. Build and Visualize Risk Register
   • List Asset, Scenario, x, y, z, SLE, ARO, ALE, Priority. Use a heat map: red for high‑impact/high‑likelihood.

An example risk register is presented in figure 1.

Figure 1—MetroBank’s Risk Register

Step 3: Risk Response – Treat and Transfer

The Response domain of ISACA’s Risk IT Framework guided MetroBank in selecting the most effective risk treatments to ensure continuity and resilience. For quantum risk, this involved applying 4 response types: avoid, mitigate, transfer, and accept, based on priority and business impact.

Key Questions:

• What risk can be avoided?
• Where should we pilot quantum-safe technologies first?
• Can we transfer residual risk cost effectively?

Activities:

Identify Risk Responses

Metrobank determined the most appropriate risk response for each prioritized risk identified during the evaluation phase, as outlined in figure 2.

Figure 2—MetroBank Risk Response Example

Develop Migration Roadmap
This example roadmap, developed by Metrobank’s quantum readiness task force, is based on an analysis of the risk register, system inventories, and vendor capability assessments (reviews of third-party readiness for post-quantum security). It sequences migrations by risk, feasibility, and dependencies.

• Year 0-2—Establish quantum risk governance, complete a cryptographic inventory, and prioritize critical assets using MetroBank’s timing benchmarks and ALE scoring. Launch hybrid encryption pilots and initiate crypto-agility upgrades across key systems.

• Year 2-3—Expand hybrid encryption to sensitive non-critical systems, integrate automated cryptographic inventory tools, and continue migrating applications toward PQC-ready architectures.

• Year 3+—Fully migrate critical systems to NIST-standardized PQC algorithms and retire hybrid encryption deployments.

Step 4: Risk Monitoring and Communication – Adapt & Evolve

In the Risk Monitoring phase, effective quantum risk management is an ongoing process, not a one-time project. This step integrates quantum considerations into daily operations and aligns them with broader enterprise risk practices.

Key Questions:

• Are our timelines still ahead of Q‑Day?
• How are our migration and key risk indicator (KRI) metrics trending?
• Have we updated plans for new quantum scenarios?

Activities:

1. Continuous monitoring—Subscribe to NIST updates, vendor roadmaps and threat intelligence.
2. Define KRIs—Track % of PQC migration, time to collapse (z), and open remediation items.
3. Governance reporting—Provide dashboards to executives showing ALE changes and roadmap progress.
4. Policy review—Conduct annual reassessment of risk appetite and PQC deadlines after quantum milestones.
5. Process integration—Add PQC checkpoints to change management, incident response playbooks, IT upgrades, and vendor selection.

Conclusion: Are You Ready for Q-Day?

MetroBank’s 4-step QRA, using the ISACA Risk IT Framework, turns quantum risk into quantum readiness. Proper governance, risk evaluation and targeted responses ensure that when Q-day arrives, your organization remains secure, compliant and ahead of the curve.