In an increasingly volatile, uncertain, complex, and ambiguous (VUCA) world, risks are integral to the business landscape. To navigate this landscape, you must adopt effective risk management strategies involving risk identification, assessment, catalog, and treatment. In other words, you must take the time to address risk as a business issue and not treat it as something that can be ignored. You must bring together all components of the organization around continuously identifying risks within processes, technologies, practices, etc. and addressing them in a way that makes sense for your organization.
A critical part of this ongoing process is risk analysis. While there are several methods for approaching risk analysis, quantitative risk analysis stands out as it is both precise and objective. But what exactly is quantitative risk analysis and why is it so important? I’ll cover these questions and more in this blog post.
Quantitative risk analysis is a statistical technique to understanding financial uncertainty or risk in a project or business venture. It uses numerical values and complex data to determine the probability of a specific event and the potential impact that event could have on the organization.
This method involves collecting data about specific, measurable quantities of risk using mathematical models and simulations to analyze them. From there, you can forecast the probability of various outcomes, including the best-case and worst-case scenarios.
The following flow chart provides a helpful example. As explained by the Factor Analysis of Information Risk (FAIR) Institute the financial value you assign to a specific risk depends on the loss event frequency, which is the time frame during which a someone like a cyber threat actor (CTA) could affect an identified asset; and the loss magnitude, which encapsulates the losses that could stem from the loss event. Loss event frequency breaks down even further into threat event frequency, which is the number of attempts a CTA could try to target an asset, and vulnerability, which represents the percentage of threat events that turn into loss events. Similarly, loss magnitude breaks down into primary losses (such as productivity declines, the cost of replacements, and response times) and secondary losses (such as missed competitive advantages, reputational damages, and fines/judgments).
(Source: FAIR Institute)
Below are some general benefits of using quantitative risk analysis in your organization:
Unlike qualitative risk analysis that uses judgments, intuition, and ordinal scales (e.g., high, medium, low), quantitative research relies on empirical assessments to provide specific numeric values associated with risk. It's about fostering consistency around numbers and complex data. We have to build up our capability in FAIR analysis and use it to continuously assess internal capability, as an example, so we start out with a major risk, address the adaptation of the qualitative assessment, and transfer it to quantitative. As you build competency and your organization understands the approach, you remove complexity of the process but can then face more complex risks.
Quantitative risk analysis eliminates ambiguity and facilitates more objective decision-making by providing a clear, numeric picture of the risk landscape. It reduces the element of subjective bias that can be associated with qualitative methods, leading to more rational and robust decisions.
Quantitative risk analysis assists in prioritizing risks based on their potential impact on your organization's objectives. Quantifying risks enables you to focus your resources on the most significant risks first, ensuring a more efficient and effective risk management strategy.
This method also assists in financial planning by quantifying the potential impact of risks. It can help determine the contingency reserves needed for identified risks and supports cost-benefit analysis for proposed risk mitigation strategies.
Quantitative risk analysis provides a common language of 'numbers' that enhances stakeholder communication. It allows for clear, precise communication about risks and their potential impacts, which can help gain stakeholder buy-in for necessary risk management actions. Numbers will be the starting domino in securing that buy-in. It’s followed by the assessment of the risk with factual statements of treating the risk. If you address specific risks early, you will help to ensure a greater return on treating the risk. Therefore, it is the opening line for organizational review.
Finally, quantitative risk analysis supports continuous risk monitoring by providing a baseline for comparison as new data emerges. This can help you to identify trends, track risk mitigation effectiveness, and support adjustments to risk management strategies as needed.
As discussed above, you can revolutionize the way your organization measures and addresses risk by embracing quantitative risk analysis. You just might not know how to get started.
CIS SecureSuite can help you. It provides you with benefits, resources, and tools that you can use to plan out and build upon your implementation of security best practices, including the CIS Critical Security Controls (CIS Controls). The same goes for your use of the CIS Risk Assessment Method (CIS RAM) v2.1, a free tool which enables anyone to evaluate their cybersecurity posture against the CIS Controls using quantitative risk analysis.
Take the pro version of our CIS Controls Self Assessment Tool (CIS CSAT Pro) as an example. Using this Membership benefit, you can plan out which CIS Controls and CIS Safeguards you want to implement in support of your security requirements. You can then refer to CIS RAM v2.1 to understand how the security measures you’ve identified will help to manage the underlying risk you’re seeking to address. (In doing so, you’ll create documentation that you can use to demonstrate that you took “due care” around your risks.) From there, you can return to CIS CSAT Pro and use it to plan out implementation efforts, assign tasks to your team members, track their progress, and plan for the next round of implementation – all the while guided by the quantitative risk analysis inputs of CIS RAM v2.1.
Want more information about CIS RAM v2.1? Our below provides an even closer look at how it can help you demonstrate reasonableness.
In the realm of risk management, quantitative risk analysis offers an objective, data-driven tool for understanding, prioritizing, and managing risk. By leveraging this approach, you can deepen your knowledge of your risk landscape, make more informed decisions, and ultimately enhance your resilience in uncertainty.
Even so, it’s worth noting that quantitative risk analysis does not replace qualitative risk analysis but rather complements it. When used together, both provide a comprehensive view of your organization's risk environment, offering a solid foundation for effective risk management. In an uncertain world, this comprehensive approach to risk analysis is not just a luxury but a necessity.
In the next blog post, I will take a closer look at the FAIR risk analysis method and how you can use it to change the way your organization sees risk.
Want greater context for your risk analysis program? Check out our previous blog posts:
Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.
Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.
Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certifications in the IT arena.
In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.