A common misconception about risk quantification is that it requires starting from scratch. In reality, businesses that are already documenting their IT risks and controls can build on the data they already have to begin quantifying their risks. ITRM: The Promise and Challenges of Risk Quantification explores why risk quantification — the process of defining the impact of a risk to the business in dollars — is an endeavor worth undertaking, and dismantles several common myths to getting started. Download the full guide here, and continue reading for seven steps to getting started with risk quantification.
While there are many paths to risk quantification, a good place to start is asset quantification, as it is often easier for business professionals to understand and attach values to tangible assets rather than theoretical risks. For one, if your organization has an IT risk management or InfoSec function, it is likely already taking steps to comply with security frameworks like ISO 27005, PCI DSS, NIST SP 800-53, COBIT 5, or OCTAVE. By leveraging existing risk assessment data collected in the course of complying with these frameworks, InfoSec can begin to create data sources and data streams that can ultimately be used for risk quantification. No matter where you’re starting from, the following are seven steps to leverage your existing IT asset data and begin quantifying risk.
Checklist: 7 Steps to Get Started With Asset Data Quantification
- Leverage asset inventories you’ve already built for compliance requirements. Familiarize yourself with the security requirements your business is already taking steps to comply with, such as ISO 27001, PCI DSS, NIST SP 800-53, COBIT 5, etc. By building on work that has likely already been performed, you will not need to start from scratch to identify your assets.
- Utilize meaningful triggers to triage your assets. Establish meaningful triggers to triage your assets and determine which ones are critical to your business. Examples of triggers include: whether the asset stores or processes sensitive records, the number of users with access to the asset, etc. Taking time to triage can help narrow down the assets you’ll want to include in your risk assessment process.
- Determine the impact of each asset on the company. Look at your organization’s most valuable IT assets and consider the measurements that capture a quantifiable impact on the business, should each asset become unavailable or compromised. For instance, calculating the dollar amount associated with a potential fine or the number of sensitive records an asset processes or stores are great places to start. Another example is potential loss of revenue or productivity as a result of an asset becoming unavailable. This step applies the NIST CIA triad to determine the confidentiality, integrity, and availability impacts if a system is compromised.
- Identify the threats applicable to your assets that could trigger risk events. Understand the threats that could manifest a risk event, which would compromise your assets’ confidentiality, integrity, and/or availability. For example, if the risk event is a very high-level data breach, it is important to identify and understand all the threats that could trigger each risk event to occur.
- Determine the probability of these threats materializing. Threat likelihood measurements are inherently subjective and can vary based on the context and availability of information. This measurement should tie back to a specific asset. Consider a given application: how many employees have access to it? Is this asset housed internally or outsourced?
- Evaluate the strength of controls that exist to prevent or detect each threat. Identify the control measures being implemented to protect each asset against its applicable threats. In your evaluation, assign values that measure the strength of these controls in protecting each asset against its applicable threats.
- Determine the risk exposure. Now that you have determined 1) the business impact of an asset being compromised, 2) the threats that are applicable to the asset, 3) the probability of these threats materializing, and 4) the overall strength of controls to protect the asset against its respective threats, you can calculate the risk exposure. Leverage a straightforward formula that calculates the risk exposure (in dollars) in context of the asset’s business impact. Risk Exposure = CIA Impact x (Probability of Threats – Strength of Controls).
Key Considerations as You Begin to Quantify Your Risks
Determining your risk exposure will enable you to have meaningful conversations with key stakeholders, prioritize your mitigation efforts, and make key investment decisions. In addition, the following are several other important considerations for IT security teams as they begin the process of risk quantification.
Standardize your Risk Impact Scale. Although specific measurements for each threat will vary depending on the asset — e.g. number of sensitive records, ARR dollars, number of people with user access to a system — creating a standardized risk impact scale can capture different measurements and output them as common reference values. This could be a 1-5 scale with 1 being “low risk” and 5 being “highest possible risk.” Standardizing your risk impact scale creates a context for ensuring your asset and threat measurements can be translated into a universal risk language that is specific to your business. For example: less than 500 sensitive records = low risk, more than 10,000 sensitive records = highest risk.
Understand where the risk sits in your organization. Identify the departments and specific roles that manage your information assets. This is not only important for InfoSec, but also for the system owners who are managing these critical assets. If asset ownership has not already been assigned, assign owners to all assets — owners can be individuals or groups within the organization.
Train risk owners on their responsibilities. Everyone who is responsible for an asset is a risk owner who deserves training. If every asset owner’s actions have an impact on the organization, you owe it to each individual to teach them about the risk and ensure they have sufficient context for understanding how it is connected to their job responsibilities. Ultimately, if you are holding people accountable, they have to understand what they are accountable for.
Remember that risk quantification is an iterative process. Every piece of information you glean when quantifying your risks can be fed back into the loop of risk assessment and analysis. Analyze the data you’re collecting throughout this process and don’t be afraid to question or challenge it. Do you need to adjust your asset or threat measurements to obtain more accurate assessments of risk data? Are you finding your Risk Impact Scale is not reflecting business impacts and requires reworking? If so, do it.
Beware of rabbit holes. Don’t spend too much time focused on refining your measurements that you lose sight of the overarching goal of assessing and managing your InfoSec risks. If the data you’re getting from these exercises can’t be quantified or tied back to a meaningful output, this may be a sign you’re missing something — or should be focusing on something else. For example, if you find yourself spending a big portion of time determining ARR for vendors to use as part of your cyber risk calculations, but ARR is not relevant to the risk the vendors represent — then this exercise is not relevant. A vendor that is going through bankruptcy and is having trouble meeting operational needs would be a more relevant thing to focus on.
Finally, utilizing technology enables InfoSec teams to quantify risks with more agility — delivering insights to make more informed decisions, allocate resources more efficiently, and implement targeted risk mitigation strategies sooner. To learn more about how technology can help further jumpstart the process of risk quantification, download the full guide, ITRM: The Promise and Challenges of Risk Quantification, here.