Introduction
Risk assessment is an essential component of information security management. It entails evaluating individual information technology (IT) threats and assigning them precedence depending on their potential impacts. Stallings and Brown (2018) posit that security assessment enables an organization to identify and evaluate potential vulnerabilities to a specific system. IT security assessment is significant because it helps an institute to establish a robust and efficient safety program. Institutions use numerous approaches to IT security risk assessment. The most common methods are qualitative and quantitative. This paper will discuss the two main methodologies of IT security assessment. It will also settle for the most appropriate approach to IT risk evaluation.
Quantitative Assessment
Quantitative assessment is the most basic method of IT security risk evaluation. As the name suggests, this method of assessment uses definite figures, numbers, and percentages to quantify risk. It utilizes statistical methods to compute the likelihood of a specific threat occurring and its latent repercussions. According to Cherdantseva et al. (2016), a quantitative method of risk assessment enables an IT department to understand the financial impacts of probable risk. Additionally, it can also be used to ascertain the amount of data that could be compromised or lost in case the risk arises. Cherdantseva et al. (2016) aver, “Even though this approach does take into consideration the impact that a risk would have on business operations, it does so through a rigid number-based lens” (p. 11). Organizations use a quantitative method to determine the IT security risks that are acceptable or unacceptable depending on their potential outcomes.
The initial stage in quantitative risk assessment entails identifying the essential assets of an organization. As per Cherdantseva et al. (2016), this methodology covers factors like information processing systems, IT equipment, and facilities. It also considers other less-apparent assets like data contained in a system, mobile devices, and the organizational workforce. Once all the essential assets are identified, their absolute value in dollars is computed. It may be hard for security analysts to obtain a precise value of volatile or indefinite assets. Nevertheless, Cherdantseva et al. (2016) assert that an analyst can rely on estimate values. An analyst then marches individual risks with the assets that they are likely to affect. They evaluate the extent of damage that risk can cause to a particular asset. Feng, Wang, and Li (2014) posit that the possible damage is computed in percentage. It is then “multiplied by the value of the asset to obtain a dollar amount of loss for that specific risk” (Feng et al., 2014, p. 61). It is imperative to appreciate that quantitative assessment requires a significant amount of data to produce reliable results.
One may wonder what the analysts come up with upon conducting a quantitative risk assessment. After evaluating individual risk scenarios, security analysts compile a report that details the assets that are vulnerable to risks, their level of exposure, and the possible financial impacts of the threats that occur (Fenz, Heurix, Neubauer, & Pechstein, 2014). This information is invaluable to the management team. It allows the administration to make sound judgments when identifying safeguards and controls to protect different assets. If the cost of safeguarding an organizational asset exceeds the financial implications of probable damage, the institution foregoes implementing the recommended defensive mechanism. The primary disadvantage of quantitative assessment methodology is that it does not evaluate the impacts of risk on organizational functions. Thus, it is hard to determine how a given threat will affect the productivity of a business.
Qualitative Assessment
The second method of IT security assessment relies on qualitative information. This methodology does not require quantitative values like percentages and numbers. Instead, it seeks to determine how a given risk might affect employees or organizational performance. Fenz et al. (2014) argue that the qualitative method of risk assessment is quite subjective because it depends on the views of varied stakeholders. It is imperative to appreciate that this assessment method is descriptive and difficult to quantify. Qualitative risk assessment is mostly used in areas where it is hard to establish a numerical value of risk. Shameli-Sendi, Aghababaei-Barzegar, and Cheriet (2016) allege that qualitative risk assessment is easier to implement than quantitative security evaluation. Nevertheless, the methodology is less accurate. It entails assembling a team comprising representatives from different departments within an organization. The team identifies the possible risks that might affect their divisions and their likely impacts. Instead of focusing on the financial implications of a threat, qualitative risk evaluation seeks to understand how an event would influence productivity. For instance, when examining the threat posed to a company’s server, an analyst may determine how the productivity of a given workforce might be affected if employees do not access the necessary applications.
Qualitative risk assessment methodology yields a report that details the probable impacts of a particular security threat. The information does not outline the quantifiable financial effects of a security risk (Shameli-Sendi et al., 2016). Instead, it documents the possible business divisions that might be affected by the risk and their apparent loss in terms of productivity. Moreover, qualitative assessment gives information regarding the impacts of the given risk on public relations and organizational reputation.
The Best Methodology
A company’s reputation, functions, and public relations are critical to its success. Thus, it is imperative to use a risk assessment methodology that pays attention to these three elements. Qualitative risk assessment is the best security evaluation strategy for any organization. The quantitative assessment gives quantifiable information regarding a particular risk. The method fails to consider unquantifiable parameters that are critical to organizational development. Qualitative assessment is comprehensive because it considers the performance of the entire organization. Moreover, it enables a security analyst to understand the potential impacts of a risk on a company’s reputation and public relations. A firm’s repute and public relations dictate its economic performance because they determine if customers will buy from the business. An assessment method that only considers the financial risks fails to appreciate that a business cannot make significant returns without improving its public image and performance. Qualitative assessment is superior because it evaluates factors that contribute to the general performance of an organization.
Conclusion
Information technology exposes organizations to risks that might have devastating impacts on their performance. Therefore, it is imperative to evaluate potential risks and take the appropriate measures. Organizations use quantitative and qualitative assessment methodologies to assess IT security risks. The quantitative methodology judges risk using measurable parameters. On the other hand, the qualitative approach uses immeasurable factors such as business reputation and performance. The quantitative assessment method is criticized for failing to consider essential factors like business factions. Even though the qualitative approach is considered subjective, it is the best method of assessing IT risks because it considers factors that are most valuable to an organization.
References
Cherdantseva, Y., Burnap, P., Blyth, A., Eden, P., Jones, K., Soulsby, H., & Stoddart, K. (2016). A review of cybersecurity risk assessment methods for SCADA systems. Computer & Security, 56(1), 1-27.
Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Information Sciences, 256(1), 57-73.
Fenz, S., Heurix, J., Neubauer, T., & Pechstein, F. (2014). Current challenges in information security risk management. Information Management & Computer Security, 22(5), 410-430.
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computer & Security, 57(1), 14-30.
Stallings, W., & Brown, L. (2018). Computer security: Principles and practices (4th ed.). Upper Saddle River, NJ: Pearson Education Inc.