Qualitative and Quantitative Risk Analysis Techniques

Qualitative and numerical insecurity analytic thinking techniquesThe oxford dictionary defines a seek as a situation involving exposure to danger. In business, an incident is said to be essayy if it has the probability of an adverse outcome. Others words typically used in association with risks be words such as hazards and threats.In most cases, were mitigation controls are non implemented, a risk could result in the loss of financial or material assets, or more critically, it could lead story to loss of life. Organisations therefore need a technique to aid in the identification and classification of risks hence the relevance of endangerment compendium.Risk analysis assists in defining preventive measures to reduce the probability of identified threats occurring. Information Technology (IT) managers are able to add value to organisations by using the principles of risk analysis to ensure that businesses remain existent in the face of a risk.The risk analysis outgrowth i nvolves three processes estimate identification, Risk assessment and Risk evaluation. Hazard identification is the process of identifying undesired or adverse events that lead to the materialisation of a hazard . Risk assessment is the process of determining the size and magnitude of a risk. Finally, Risk evaluation is the process of assessing the risk in terms of its signifi butt jointce, gravity, or seriousness. Mathematically, the risk equation can be expressed asRisk = (shock * Likelihood) orRisk = (Probability * Likelihood) Impact measures the level of loss to the organisation. Loss can either be financial or operational and Likelihood measures the probability of intuitive feeling the impact.Risk judging MethodologyRisk assessment is the systematic evaluation of the likelihood of an adverse effect arising from exposure in a defined population. The nidus for IT security managers is risk assessment that is geared towards meeting the confidentiality, Integrity and Availabilit y of information resources .Risk Analysis TechniquesRisk analysis techniques can be grim down into two broad methods Qualitative Risk Analysis and Quantitative Risk Analysis. Regardless of the technique selected by an IT security manager, an understanding of the organisations process assets i.e. how risks were handled in the past, the scope of the project in question and plans that have been put in place to manage risks have to be clearly defined.Qualitative Risk AnalysisQualitative risk analysis involves the use of relative concepts to envision risk exposure thereafter, a relative classification system is employed where risks are classified as high, medium or low . Qualitative risk analysis allows IT managers perform systematic examinations of threats and risks to the organisation. It also provides the opportunity for a review of proposed countermeasures and safeguards to determine the opera hat cost-benefit implementation .Using this technique enquires IT managers to develop a scope plan, assemble a quality team, identify threats and prioritise threats.Advantages of Qualitative Risk Assessment TechniqueEase of calculation when compared with quantitative technique, performing calculations using a qualitative technique is relatively simple.Monetary value of assets does not need to be compulsive to perform a qualitative risk assessment, IT managers dont need to come up with a monetary value assets identified during the initial asset identification phase.It is not necessary to quantify threat frequency be make water this technique does not require complex calculations, IT managers do not have to quantify the number of cartridge clips a certain threat is likely toIt is easier to involve non-security and non-technical staff though it is important to select as risk assessment team members, this technique does not require that selected team members consist solely of technical members.Flexibility in process and reportingDrawback of Qualitative Risk Assessment TechniquesBelow is a discussion on the drawbacks of qualitative risk assessment techniquesQualitative techniques are subjective in nature- i.e. rather than relying on statistical data or evidence for its results, it is dependent on the quality of the risk management team that created it. The Cost-benefit analysis technique which assists in justifying the need for investing in controls is not used in qualitative risk assessment. It does not differentiate sufficiently between important risks.Attributes of Qualitative Risk AssessmentsQualitative risk assessment techniques offer a relatively faster process when compared with quantitative techniques its emphasises are on descriptions as against statistical data, as such, teams members need not be overly technical to take part in a qualitative analysis process.In addition, values from a qualitative risk assessment are not actual values. In other words, they are perceive valued. Finally, its commenceings are simple and expressed in rela tive terms understandable by non-technical people therefore requiring little or no training forwards its results can be understood.Qualitative Risk Assessment Tools / TechniquesA number of tools are available for carrying out qualitative risk assessment a some of them are discussed belowProbability and impact matrix the probability and impact matrix illustrates a risk rating assignment for identified risks. Each risk is rated on its probability of occurrence and impact upon objective.Risk probability and impact assessment using this tool involves the risk analysis team rating the projects risks and opportunities .Ishikawa (Fishbone cause and effects diagrams) the cause and effect diagram can be used to look for all the possible or actual causes (or inputs) that result in a single effect (or output). This tool can be used for identifying areas where there maybe problems and to examine causes of risks.Failure Mode and Effect Analysis (FMEA) the FMEA method starts by considering the risk events and then proceeds to predict all their possible effects in a chart form. Quantitative Risk AssessmentIT security managers as decision makers are susceptible to biased perception. as such, they require a means of accurately determining risks such that potential risk factors are not overlooked this hence the need for quantitative risk assessments.Quantitative risk analysis generally follows on from the qualitative risk analysis process. It aims to numerically dismember the probability of each risk and its consequence on the project objectives as well as the extent of overall project risk.Quantitative Risk Assessment TechniquesIn quantitative risk analysis processing, techniques such as Monte Carlo and Bayesian simulations can be employed because they provide indispensible tools to the risk assessment team.These tools assist the team in determining the probability of achieving a specific project objective. They are equally used to quantify the risk exposure for the proje ct and determine the size of cost and schedule contingency reserves that may be needed. Additionally, they identify the risks which require the most attention by quantifying their relative contributions to project risk.Advantages of Quantitative Risk AssessmentUsing quantitative assessments IT managers are able to present the results of risk assessment in a straight forward manner to subscribe the accounting based presentation of senior managers. As results are statistical in nature, it aids in determining whether an expensive safeguard is worth purchasing or not. The process requires the risk assessment team to put great effort into assets value definition and mitigation as a result its results are based substantially on independently objective processes and metrics.Finally, carrying out a quantitative risk analysis is fairly simple and can easily follow a template type approach.Drawbacks of Quantitative Risk AssessmentCalculations involved in quantitative risk assessments are co mplex and time consuming. Its results are presented in monetary terms only and as such, may be difficult for non-technical people to interpret. The process requires expertise so participants cannot be easily coached through it. Impact values assigned to risks are based on opinions of participants.Attributes of Quantitative risk assessmentAccuracy of results from quantitative risk assessment tends to increase over time as the organisation builds historic record of data while gaining experience. Results generated from a quantitative assessment are financial in nature, making quantitative techniques recyclable for cost benefit analysis.Quantitative Risk Assessment ToolsDecision Trees Analysis the decision tree is a useful tool for choosing an option from alternatives. It is used to explore different options and the outcome of selecting a specific option.Sensitivity Analysis This technique is used to determine the risks which are likely to have the highest impact on the project. In sen sitivity analysis, the effect of each risk is examined while keeping all other uncertain elements at baseline values.Striking a BalanceAs already highlighted above, both approaches to risk management have their advantages and disadvantages. Certain situations may call for organisations to adopt the quantitative approach. Conversely, smaller organisations with limited resources pass on probably find the qualitative approach better fitting.Furthermore, in selecting a risk analysis technique, IT security managers should select a technique that best reflects the needs of the organisation. The decision on which risk analysis technique to use should depend on what the manager is attempting to achieve.It is this suggestion of this paper that an integration of qualitative and quantitative risk analysis techniques be adopted by IT security managers to create a more comprehensive analytical approach. This can be understood as a Hybrid Risk Analysis Approach.Capturing risks and selecting cont rols are important, however more important is an effective risk assessment process establishing the risk levels. Before an organisation can decide on what to do, it must first identify where and what the risks are. Quantitative risk analysis requires risk identification after which both qualitative and quantitative risk analysis processes can be used separately or together. Consideration of time and budget availability and the need for both types of analysis statements about risk and impact will determine which method(s) to use.