Qualitative and Quantitative Risk Analysis Techniques

Qualitative and Quantitative Risk Analysis Techniques The oxford dictionary defines a risk as a situation involving exposure to danger. In business, an occurrence is said to be risky if it has the probability of an adverse outcome. Others words typically used in association with risks are words such as hazards and threats. In most cases, were mitigation controls are not implemented, a risk could result in the loss of financial or material assets, or more critically, it could lead to loss of life. Organisations therefore need a technique to assist in the identification and classification of risks; hence the relevance of Risk analysis. Risk analysis assists in defining preventive measures to reduce the probability of identified threats occurring. Information Technology (IT) managers are able to add value to organisations by using the principles of risk analysis to ensure that businesses remain existent in the face of a risk. The risk analysis process involves three processes: Hazard identification, Risk assessment and Risk evaluation. Hazard identification is the process of identifying undesired or adverse events that lead to the materialisation of a hazard []. Risk assessment is the process of determining the size and magnitude of a risk. Finally, Risk evaluation is the process of assessing the risk in terms of its significance, gravity, or seriousness. [] Mathematically, the risk equation can be expressed as: Risk = (Impact * Likelihood) or Risk = (Probability * Likelihood) [] Impact measures the level of loss to the organisation. Loss can either be financial or operational and Likelihood measures the probability of feeling the impact. Risk Assessment Methodology Risk assessment is the systematic evaluation of the likelihood of an adverse effect arising from exposure in a defined population. The focus for IT security managers is risk assessment that is geared towards meeting the confidentiality, Integrity and Availability of information resources []. Risk Analysis Techniques Risk analysis techniques can be broken down into two broad methods: Qualitative Risk Analysis and Quantitative Risk Analysis. Regardless of the technique selected by an IT security manager, an understanding of the organisations process assets i.e. how risks were handled in the past, the scope of the project in question and plans that have been put in place to manage risks have to be clearly defined. Qualitative Risk Analysis Qualitative risk analysis involves the use of relative concepts to determine risk exposure [] thereafter, a relative classification system is employed where risks are classified as high, medium or low []. Qualitative risk analysis allows IT managers perform systematic examinations of threats and risks to the organisation. It also provides the opportunity for a review of proposed countermeasures and safeguards to determine the best cost-benefit implementation []. Using this technique requires IT managers to develop a scope plan, assemble a quality team, identify threats and prioritise threats. Advantages of Qualitative Risk Assessment Technique: Ease of calculation: when compared with quantitative technique, performing calculations using a qualitative technique is relatively simple. Monetary value of assets does not need to be determined: to perform a qualitative risk assessment, IT managers dont need to come up with a monetary value assets identified during the initial asset identification phase. It is not necessary to quantify threat frequency: because this technique does not require complex calculations, IT managers do not have to quantify the number of times a certain threat is likely to It is easier to involve non-security and non-technical staff: though it is important to select as risk assessment team members, this technique does not require that selected team members consist solely of technical members. Flexibility in process and reporting Drawback of Qualitative Risk Assessment Techniques Below is a discussion on the drawbacks of qualitative risk assessment techniques Qualitative techniques are subjective in nature- i.e. rather than relying on statistical data or evidence for its results, it is dependent on the quality of the risk management team that created it. The Cost-benefit analysis technique which assists in justifying the need for investing in controls is not used in qualitative risk assessment. It does not differentiate sufficiently between important risks. Attributes of Qualitative Risk Assessments: Qualitative risk assessment techniques offer a relatively faster process when compared with quantitative techniques; its emphasises are on descriptions as against statistical data, as such, teams members need not be overly technical to take part in a qualitative analysis process. In addition, values from a qualitative risk assessment are not actual values. In other words, they are perceived valued. Finally, its findings are simple and expressed in relative terms understandable by non-technical people therefore requiring little or no training before its results can be understood. Qualitative Risk Assessment Tools / Techniques: A number of tools are available for carrying out qualitative risk assessment a few of them are discussed below: Probability and impact matrix: the probability and impact matrix illustrates a risk rating assignment for identified risks. Each risk is rated on its probability of occurrence and impact upon objective. Risk probability and impact assessment: using this tool involves the risk analysis team rating the projects risks and opportunities []. Ishikawa (Fishbone cause and effects diagrams): the cause and effect diagram can be used to explore all the possible or actual causes (or inputs) that result in a single effect (or output). This tool can be used for identifying areas where there maybe problems and to examine causes of risks. Failure Mode and Effect Analysis (FMEA): the FMEA method starts by considering the risk events and then proceeds to predict all their possible effects in a chart form. [] Quantitative Risk Assessment IT security managers as decision makers are susceptible to biased perception. as such, they require a means of accurately determining risks such that potential risk factors are not overlooked this hence the need for quantitative risk assessments. Quantitative risk analysis generally follows on from the qualitative risk analysis process. It aims to numerically analyse the probability of each risk and its consequence on the project objectives as well as the extent of overall project risk. Quantitative Risk Assessment Techniques In quantitative risk analysis processing, techniques such as Monte Carlo'[] and Bayesian simulations can be employed because they provide indispensible tools to the risk assessment team. These tools assist the team in determining the probability of achieving a specific project objective. They are equally used to quantify the risk exposure for the project and determine the size of cost and schedule contingency reserves that may be needed. Additionally, they identify the risks which require the most attention by quantifying their relative contributions to project risk. Advantages of Quantitative Risk Assessment Using quantitative assessments IT managers are able to present the results of risk assessment in a straight forward manner to support the accounting based presentation of senior managers. [] As results are statistical in nature, it aids in determining whether an expensive safeguard is worth purchasing or not. The process requires the risk assessment team to put great effort into assets value definition and mitigation as a result; its results are based substantially on independently objective processes and metrics. Finally, carrying out a quantitative risk analysis is fairly simple and can easily follow a template type approach. Drawbacks of Quantitative Risk Assessment Calculations involved in quantitative risk assessments are complex and time consuming. Its results are presented in monetary terms only and as such, may be difficult for non-technical people to interpret. The process requires expertise so participants cannot be easily coached through it. Impact values assigned to risks are based on opinions of participants.[] Attributes of Quantitative risk assessment Accuracy of results from quantitative risk assessment tends to increase over time as the organisation builds historic record of data while gaining experience. Results generated from a quantitative assessment are financial in nature, making quantitative techniques useful for cost benefit analysis. Quantitative Risk Assessment Tools Decision Trees Analysis: the decision tree is a useful tool for choosing an option from alternatives. It is used to explore different options and the outcome of selecting a specific option. Sensitivity Analysis: This technique is used to determine the risks which are likely to have the highest impact on the project. In sensitivity analysis, the effect of each risk is examined while keeping all other uncertain elements at baseline values.[] Striking a Balance As already highlighted above, both approaches to risk management have their advantages and disadvantages. Certain situations may call for organisations to adopt the quantitative approach. Conversely, smaller organisations with limited resources will probably find the qualitative approach better fitting. Furthermore, in selecting a risk analysis technique, IT security managers should select a technique that best reflects the needs of the organisation. The decision on which risk analysis technique to use should depend on what the manager is attempting to achieve. It is this suggestion of this paper that an integration of qualitative and quantitative risk analysis techniques be adopted by IT security managers to create a more comprehensive analytical approach. This can be understood as a Hybrid Risk Analysis Approach. Capturing risks and selecting controls are important, however more important is an effective risk assessment process establishing the risk levels. Before an organisation can decide on what to do, it must first identify where and what the risks are. Quantitative risk analysis requires risk identification after which both qualitative and quantitative risk analysis processes can be used separately or together. Consideration of time and budget availability and the need for both types of analysis statements about risk and impact will determine which method(s) to use.[ ]