Cyber Risk Management: Qualitative vs. Quantitative Approaches

Introduction to cyber risk management

There is always a certain level of inherent risk when operating any organization. Given the fact that it is not possible to completely eradicate business risk, appropriate risk management efforts need to be in place to reduce risk to an acceptable level.

With most organizations going through a digital transformation, to unlock competitive advantage in their respective markets, additional risk is inevitably introduced and accumulated across the whole spectrum of operations.

The risks that could compromise the confidentiality, integrity and availability of sensitive information, products and services are categorized as risk(s) related to cybersecurity, or as commonly referred to as cyber risks (such as cyber risks identified through the UAE IA Standards assessment).

Organizations could manage these cyber risks through a focused approach in a qualitative or quantitative manner. Let us have a look at what these approaches are, list their benefits and limitations, and see which could be considered the best-suited approach for your organization.

Qualitative approach

Currently, most organizations use the qualitative approach to manage cyber risks. Cyber risks need to be handled with a concentrated approach to reduce exposure to acceptable levels. In the qualitative approach, rating scales (e.g., Low-High and 1-3) are used to calculate the impact and likelihood to the organization if the risk is materialized. A product of these two factors is plotted in a graph to depict the severity or rating of the risk in question. 

The risk rating is represented as a heat map (Figure 1) which makes it easy to follow and understand by stakeholders and senior management for assisting with decision making in the risk response related efforts. The best way to take on qualitative risk analysis is to break it down into smaller steps that involve:

• Identifying risks
• Impact analysis (including likelihood)
• Risk treatment
• Review and monitor

Usually, there is a strong misconception that this is a quantitative approach to risk management given the usage of predefined numbers to evaluate risk scales, impact and likelihood statements. The quantitative approach to risk management is different, and it is discussed in detail later on.

Figure 1: Sample qualitative risk heat map

There are some advantages and disadvantages of the qualitative approach to cyber risk management which we’ve outlined below.

Benefits of qualitative approach

• Best fit for less matured organizations.
• Organizations that might not have most of its assets quantified in figures depicted in the local currency, such as Dirham.
• Relatively simple to use and reach risk values. Less effort is required to perform risk assessments and manage risks.
• An effective tool for communicating risks, alignment, and understanding to relevant stakeholders to arrive at risk mitigation decisions quickly. Scope for incorporating professional judgement is included in this approach to arrive at risk values.

Limitations of qualitative approach

• There is increased difficulty to communicate the risk in quantified terms (e.g., Dirham figures) to the senior management.
• Inconsistent and inaccurate results may be produced as the risk ratings are highly dependent on the experience, expertise and competency of the risk assessor.
• There is an increased tendency to inflate risk by considering a conservative approach, i.e. better to have a higher risk and be on the safer side rather than having a lower risk and take accountability of a possible risk materialization.
• Inability to prioritize risks within the same risk category, i.e., all risks with a medium risk rating will have the same level of prioritization for risk treatment efforts.
• Inability to perform an accurate cost-benefit analysis to decide on the risk treatment options.
• Stakeholders might revise the risk rating with a tendency to lower risk ratings, without any supporting data points other than adjusting risk tolerance and risk appetite.
• There is the additional effort required to map third-party cyber security assessment findings to “match” its internal risk management framework and risk prioritization activities.
• Incapable of producing accurate results through data analytics as the core data is based on relative scales and not data points.

This approach best suits organizations that operate in low-risk environments that are less dependent on technology for their core business operations, and have a less-mature cybersecurity practice. At the same time, it needs to be clear that the qualitative analysis of the risk environment provides the necessary clarity to prioritize tasks quickly and cost-effectively without having to dive into severe logistical and financial challenges that a quantitative model would otherwise require. 

Quantitative approach

The quantitative approach to cyber risk management involves numerical values for asset valuation as well as the calculation of risk factors (Impact and Likelihood). These values would not be relative scales and would generally be based on asset values and mathematical equations (Figure 2).

The final risk assessment report has currency figures for risk levels, potential loss and cost of mitigation controls. This facilitates effective and unambiguous risk related discussions and decisions. This also improves the accuracy of the risk-ratings as these are based on data points and not on relative scales. In other words, conducting a quantitative risk analysis requires:

• High-quality data
• A well-developed project model
• A prioritized lists of project risks (usually from performing a qualitative risk analysis beforehand)

Effectively, the quantitative risk analysis should be in a position to quantify the possible outcomes and assess the probability of achieving specific objectives, contribute to the decision making process when there is uncertainty, and last but not least, create realistic and achievable cost/schedule/scope targets.

Figure 2 – Sample quantitative risk calculation

However, there are advantages and disadvantages with the quantitative approach when it comes to cyber risk management which we’ve outlined below.

Benefits of quantitative approach

• The ability to communicate the risk in quantified terms (e.g. Dirham figures) to the senior management.
• Consistent and accurate results are produced as the risk ratings are based on data points (less dependent on the risk assessor’s competency and experience).
• The representation of risk in actual values, and the elimination of any requirement for adjusting risk ratings to relative scales.
• Accurate prioritization of risk treatment efforts as each risk would have a unique (mostly) value and not grouped together under similar ratings.
• The ability to perform an accurate cost-benefit analysis to determine risk treatment options as the risk values are based on local currency figures.
• Improved ability to defend risk ratings with stakeholders as the risk values are based on data points.
• Effective data analytics on the cybersecurity risks is possible as the risk values are based on actual data points.

Limitations of quantitative approach

• An up-to-date and accurate assets (including systems and information) inventory is a prerequisite for this approach, and it would require considerable efforts to build and maintain.
• The additional requirement to quantify all assets in local currency figures.
• Inability to clearly communicate a risk narrative or the big picture to the senior management.
• Limited scope for incorporating professional judgement to arrive at risk values (certain risks are subjective in nature and require expert opinions to be considered).

This approach best suits organizations that operate in high-risk environments that are more dependent on technology for their core business operations, and have a mature (or at least well-established) cybersecurity practice. The nature of the quantitative risk analysis expects to dive into logistical challenges and financial data points as it uses that data to produce a value to measure the acceptability of a risk event outcome.

Final verdict

It goes without question that there are advantages and disadvantages to both approaches (Table 1). The qualitative approach enables a clear and descriptive narration of cyber risks, while the quantitative approach provides accurate risk values for detailed analysis and further considerations.

Table 1 – Qualitative vs Quantitative (comparative summary)

Despite the fact both approaches have their pros and cons, they are not meant to compete with each other as to which is “best”, but rather which one is best suited given the challenge(s) at hand. After all, they are both two very important risk management tools of the larger risk management process, which in many cases complement each other.

Even though there is no clear cut “winner” when it comes to these two approaches, the lack of either of these approaches results in ineffective cyber risk management with potentially devastating results for an organization.

A combined framework utilizing the best attributes of both these approaches would be the ideal candidate for effective and efficient cyber risk management. Organizations can reach out to cyber risk management consultants to establish an effective cyber risk management framework that is both flexible and bespoke to match their particular requirements.

Learn how CPX helps enterprises with governance, risk and compliance services.