Continuing on from our recent presentation to make a case for advanced cyber risk monitoring, RideWell’s management team would like your view and recommendation on whether a qualitative or quantitative risk assessment method would be the best option to help evaluate cyber risks within RideWell in the short term and why.
Task
Prepare a memo to senior management team for review.
Memo
To: Executive team
From: Manager of Cybersecurity
Date: 11th June 2023
Subject: Risk assessment methodologies
Following our decision to implement advanced cyber-risk monitoring, senior management requested a review of quantitative and qualitative risk assessment methodologies: the differences between the two; which is more resource intensive; pros and cons of each; and their accuracy. This memo provides this review and concludes with a recommendation on which approach suits us at RideWell.
Qualitative assessment is an intuitive approach which places risks into natural language categories (Refsdal et al., 2015, p. 112), such as: low, medium, high (Vellani, 2021, p. 112). These categories and supporting matrices are defined by the organisation, and although they are less accurate than qualitative methods, they are significantly less laborious to implement (Vellani, 2021, p. 138) enabling the identification of risks in a shorter period with lower expenses (Chang Lee, 2014, p. 30). These factors make it well suited to organisations such as ours, who are new to risk management and may have insufficient data to inform quantitative analysis (Wheeler, 2011).
However, the lack of preciseness can lead to subjective results, reliant on the people undertaking the assessment (Vellani, 2021, p. 112), making comparisons and cost benefit analysis challenging and less precise than using quantitative methods (Chang Lee, 2014, p. 30).
Quantitative assessments assign numerical values to risks, these are based on probabilities and asset values, which may include replacement cost, lost productivity (Vellani, 2021, p. 137) as well as intangibles, such as reputation. Its rigour and precision allows comparison and prioritisation of risks, as well as cost benefit analysis of controls. The results are objective and repeatable (Vellani, 2021, p. 138), removing dependency on particular staff members and allowing comparison results between risks and from one period to the next.
However the time and effort to yield a result can be substantial, requiring resources from across the organisation and taking up to a year to complete an assessment (Vellani, 2021, p. 138). While the use of data is a strength, generating precise results, it is also a shortcoming, as data may be non-existent, incomplete or inaccurate which will negatively impact results. Given that security risks are notoriously hard to measure quantitatively (Vellani, 2021, p. 113), and due to our lack of a mature risk management function, even if we did have data, we haven’t had the expertise to do anything with it.
I am requesting that you review this minute and provide me with a decision on the risk assessment methodology you wish to apply at RideWell.
I recommend that we adopt a qualitative approach to risk assessment, with a view to move to a quantitative one as we mature and build our data set. Considering the culture of our organisation and lack of risk management maturity, if we were to try and implement a quantitative approach now, it would be overwhelming for many of our staff and have a high chance of stalling (Wheeler, 2011). Even if we did complete the lengthy assessment, the result, while precise, would likely be nonsensical because of our lack of accurate data.
As outlined, quantitative assessment suits organisations such as ours, it also often requires qualitative enrichment (Chang Lee, 2014, p. 30) (Vellani, 2021, p. 138), supporting the recommendation to start with a qualitative approach. To do this, we need to define three scales (Refsdal): Consequence scale (e.g.: insignificant, minor, moderate, major, catastrophic); Likelihood scale (e.g.: rare, unlikely, possible, likely, certain); Risk level scale (e.g.: low risk, medium risk, high risk) (Wheeler, 2011). This will provide some rigour and assist in overcoming the subjectivity of a qualitative approach, giving us the ability to understand our risks, identify areas of highest risk and allocate resources accordingly.
Defining these scales would be an early task for our cybersecurity fusion team, recently established to support our move to an advanced cyber-risk monitoring regime. I also recommend creating a risk register allowing us to begin gathering accurate data to support our maturation, preparing for a move to a more accurate quantitative approach when we are ready to do so.
Thank you for taking the time to review this comparison. Your prompt response will help us move forward in implementing our recently agreed upon advanced cyber-risk monitoring regime. If you have any questions please contact me.
References
Allen, G., & Derr, R. (2015). Threat assessment and risk analysis: An applied approach. Butterworth-Heinemann.
Chang Lee, M.-. (2014). Information security risk analysis methods and research trends: AHP and fuzzy comprehensive method. International Journal of Computer Science and Information Technology, 6(1), 29–45. https://doi.org/10.5121/ijcsit.2014.6103
Refsdal, A., Solhaug, B., & Stølen, K. (2015). Cyber-Risk management. Springer.
Vellani, K. (2021). Strategic security management: A risk assessment guide for decision makers, second edition. CRC Press.
Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Elsevier.
