A Risk Quantification Process

Return to Security Metrics
Created by the Security Executive Council

Having a list of security-related business risks and their associated countermeasures is an essential part of the risk management process. Understanding how to quantify those risks to set priorities is equally important. The flow chart in Figure 1 below lays out one approach to the analytical process associated with risk exposure quantification.

In Step 1 of the diagram, the process commences with an inventory of business risk information available from internal risk management (values and volume impacts, insurance data), industry risk data, security’s risk and hazard data, known incident data from all governance functions, and incident post-mortem outputs. These profiles enable selection of a likely set of single-incident risk scenarios. Based on their consequences, you now have one or several types of incidents you can value.

Risk Exposure Quantification Strategy Process Flow
Figure: Risk Exposure Quantification Strategy—Process Flow. One approach to the analytical process associated with risk exposure quantification.

In the second step, postulate multiple factors related to the potential consequences and impact of each incident of the specified type. Estimates of cost may be made for each scenario using a worst-case baseline, such as total loss of a known valued asset, or a less consequential result, such as an outage for a specified time. Impact costs may be estimated by engaging the business unit, which typically has loss-impact data calculations as part of the contingency planning baseline. Other estimates may be merely logical plug-ins supported by prior-event data.

The single-incident cost estimates are then processed through the filter of the effectiveness of the countermeasures that are in place for each risk event. For example, backup resources are in place to respond to a natural disaster outage, and the time to recover may be reliably estimated through prior tests. That recovery time and other impacts may also be reliably estimated. You will find your CFO and risk management or insurance offices most helpful in identifying insurance industry data associated with various security incidents and scoping single-incident costs to risk impacts.

Likelihood of an incident is a measure of your vulnerability to specific breaches based on test data, known downtimes, audit data on unresolved business process deficiencies, and increased frequency of similar events within your industry or region. Effectiveness of countermeasures is also based on test data. The known resilience or identified weaknesses of the countermeasures available in your scenario will drive your likelihood estimates. For example, what if this process were to postulate a much wider impact of the disaster that limited or eliminated the backup capability in our outage scenario above?

You will find that your best likelihood measure used for influential impact will be your periodic testing of the effectiveness of safeguards applied by your resources and business units, particularly where they are required by standard or policy. Several key areas of measurement include:
  • the perceived value or attractiveness of the object of protection;
  • the degree of probable success in penetrating a specific countermeasure; and
  • the degree of knowledge of that vulnerability within the population.

Each of these concepts may be verified by testing. There are a variety of risk-quantification tools available through risk management organizations and vendors. This is but one exercise that may be engaged in by a governance team or in cooperation with the potentially affected business units.

The bottom line is the need to understand the potential impact of higher-likelihood risk events in financial and other relevant terms.

Return to Security Metrics