A Method for Quantitative Risk AnalysisWednesday, 3:30, Lincoln-Roosevelt Room
Author
There are two primary methods of risk analysis and one hybrid method:
- James W. Meritt, CISSP, Wang Global
The first, qualitative analysis, is simpler and widely used. Qualitative analysis helps in the identification of the assets and resources at risk, vulnerabilities that might allow the threats to be realized, safeguards already in place and those which may be implemented to achieve an acceptable level of risk and increase overall awareness. This analysis uses simple calculations and uses procedure in which it is not necessary to determine the dollar value of all assets and the threat frequencies or the implementation costs of the controls. Quantitative analysis does this as well as identifies the specific envelope in which the losses and safeguards exist. It is based substantially on independently objective processes and metrics and requires an accordingly increased degree of effort be placed in deterring the cost values and an increasing amount of effort be placed into the calculations. It does, however, present its results in a management-friendly form of monetary values, percentages, and probabilities. Since the Office of Management and Budget Circular A-130 no longer requires a full-blown risk analysis the hybrid model using a facilitated risk analysis process is gaining in popularity due to its reduced costs and efforts required in spite of not providing the metrics desired for management decisions.
- Qualitative - Improve awareness of Information Systems security problems and the posture of the system being analyzed.
- Quantitative - Identification of where security controls should be implemented and the cost envelope within which they should be implemented.
- Hybrid method - A selected combination of these two methods can be used to implement the components utilizing available information while minimizing the metrics to be collected and calculated. It is less numerically intensive (and less expensive) than an in-depth exhaustive analysis.