"For Best View, Please Open this Website on Laptop / Desktop Or Mobile"

19 November 2013 / Others

What quantitative risk assessment is not!

Application Controls Audit


quantitative risk assessment   It was yet another day in the warm winter of Mumbai. The sun rose. I woke up. Instinctively, I reached out for my phone. Checked the WhatsApp messages. Yes, all forwards. Checked mail. All newsletters. One newsletter caught my attention (The snapshot that I posted above). It defined quantitative risk assessment. Suddenly I was wide awake. This is a decent enough publication that had aroused enough interest in me to give my mail ID to it once. Why were they publishing this? Who wrote it? Without getting into details, I wanted to write this post to clarify what quantitative risk assessment actually is. To do that, I need to clarify what it is not. So here goes. The word ‘quantitative’ seems to imply a numerical value of some kind. Hence, a large population of information risk practitioners believe that any risk assessment with numbers is therefore quantitative. This builds the deep rooted misconception. In the definition which I read, likelihood and impact were assigned numeric values (my guess is from a scale of 0 to 1). The likelihood was multiplied by impact and a quantity called ‘risk factor’ was obtained. Now, assigning values on a scale of numbers does not make a risk assessment quantitative. Is there a difference between a likelihood rating of {1, 2, 3, 4, 5} one being the lowest and 5 being the highest, and a likelihood rating of {Very Low, Low, Moderate, High, Very High}. You can easily equate 1 to Very Low, 2 to Low and so on. All this is QUALITATIVE risk assessment. Any rating on scales whether it is numbers or text based, is qualitative risk assessment. It is not quantitative. So, what is quantitative risk assessment then? SANS has a very nice article explaining it here (http://www.sans.edu/research/leadership-laboratory/article/risk-assessment). To summarise, quantitative risk assessment is the ability to assign a rupee (or dollar) value to a specific risk. If you can find out the money that will be lost when the risk materializes, you have done quantitative risk assessment. It is as simple as that. The problem arises when you cannot assign a rupee value to risks. What, for example, is the loss to me if the website you are reading crashes and you are no longer able to read this post? It is probably nothing, but it could also mean an opportunity loss if one of my dear readers who would have approached me for business by reading my ramblings, and he or she was unable to do so because the website was not reachable! How do I define my risk in that case? Err, let us just say it is 3 - Moderate.