Purely quantitative risk assessment is hard to achieve because some items are difficult to tag to fixed dollar amounts. Absolute qualitative risk analysis is possible because it ranks the seriousness of threats and sensitivity of assets into grades or classes, such as low, medium, and high. Typically this analysis is done for Intangible assets such as Reputation associated for Enterprise.
Typically it is measured or determined with the below techniques.
- Delphi technique
- Focus groups
- One on One meetings
An example of this can be seen in NIST 800-26, a document that uses confidentiality, integrity, and availability as categories of loss and then ranks each loss based on a scale of low, medium, and high. The ranking is purely subjective (Which is one of the cons of using a qualitative approach) :
Let’s take the same example which we considered in Quantitative Risk analysis
Case Study: Datacenter
- How likely is Data Center gets flooded in the natural calamity of flooding?
- I would think of Low Likelihood.
- How bad is it if it happens?
- That really depends on a couple of things:
- How badly will it impact Confidentiality?
- How badly will it impact Integrity?
- How badly will it impact the Availability?
- Let’s say it is Likely and a Minor issue, that puts the loss of the High-Risk category.
- It is normal to move High and Extreme on to Quantitative risk analysis. If mitigation is implemented, we can maybe move the risk level to “Low” or “Medium”.
An Enterprise can opt one or multiple of the above methodology for Qualitative Risk Analysis. One of the popular mechanism that we shall be taking a look over is “Delphi” technique.
Delphi – It is an approach to conduct an anonymous survey to gather Truth Facts. e.g. If your company ask their employees to provide feedback on their respective manager & their responses can easily be seen by their managers as well; So imagine what will happen in this case? Will the company able to gather correct facts?
Can the Company ensure that True inputs will be provided by the employee?
The ANSWER would be “NO” – Why? – The reason is “we all know”Let’s not discuss this over here 😛
Imagine another situation if the company perform an Anonymous survey – There is a High probability of getting realistic data about employee satisfaction.
Hence we need to categorise our Intangible assets into below-mentioned categories.
Next question comes “HOW” – To understand this please follow below case study.
Let’s take another example; Company XYZ is an e-commerce company & has a database consisting of its customer details. Let us assume knowingly or unknowingly we put this database on a publicly available Web server. In this case
our valuable asset = Customer list
Impact = High (Because its Company XYZ customers list which can lead to high potential losses if competitors are aware of your customer)
Probability/Likelihood = High (Because this database is Publicly exposed, so it has high chances of occurrence)
Hence “Customer list” will fall into “High Impact High Likelihood” bucket.