Qualitative and Quantitative Risk Analysis Techniques

soft and three-figure pretend abbreviation TechniquesThe oxford dictionary defines a bump as a situation involving word picture to danger. In business, an occurrence is said to be gambley if it has the fortune of an indecorous prohibitedcome. Others voice communication typically use in association with encounters argon words such as hazards and threats.In virtually cases, were mitigation controls atomic bite 18 non implemented, a put on the line could top in the outlet of financial or material assets, or more critically, it could lead to loss of life. Organisations therefore deficiency a technique to assist in the identification and classification of lucks accordingly the relevance of luck epitome. run a risk summary assists in defining deterrent measures to reduce the hazard of identify threats occurring. Information Technology (IT) managers argon equal to add prise to disposals by using the principles of risk epitome to come across that businesses remain existent in the face of a risk.The risk synopsis surgery involves three processes adventure identification, Risk judicial ratiocination and Risk evaluation. Hazard identification is the process of identifying undesired or adverse events that lead to the offspring of a hazard . Risk judgment is the process of determining the size and magnitude of a risk. Finally, Risk evaluation is the process of assessing the risk in terms of its signifi supportce, gravity, or seriousness. Mathematically, the risk equation rotter be convey asRisk = (Impact * Likelihood) orRisk = (Probability * Likelihood) Impact measures the level of loss to the organisation. Loss can either be financial or available and Likelihood measures the probability of feeling the impact.Risk estimate MethodologyRisk judgment is the systematic evaluation of the likelihood of an adverse effect arising from scene in a defined population. The focus for IT security managers is risk estimation that is ge ard towards meeting the confidentiality, Integrity and Availability of information resources .Risk synopsis TechniquesRisk abstract techniques can be broken down into dickens broad methods Qualitative Risk abridgment and Quantitative Risk epitome. irrespective of the technique assigned by an IT security manager, an understanding of the organisations process assets i.e. how risks were handled in the past, the screen background of the hurtle in question and plans that pay been put in posture to manage risks have to be clearly defined.Qualitative Risk AnalysisQualitative risk analysis involves the use of relative concepts to determine risk exposure thereafter, a relative classification system is employed where risks are classified as high, medium or low . Qualitative risk analysis allows IT managers perform systematic examinations of threats and risks to the organisation. It also houses the opportunity for a come off of proposed countermeasures and safeguards to determine the best salute-benefit implementation .Using this technique hires IT managers to develop a scope plan, assemble a quality team, identify threats and prioritise threats.Advantages of Qualitative Risk Assessment TechniqueEase of calculation when compared with decimal technique, acting calculations using a qualitative technique is relatively simple.Monetary comfort of assets does not need to be determined to perform a qualitative risk assessment, IT managers dont need to come up with a monetary value assets identified during the initial asset identification phase.It is not necessary to define threat frequency because this technique does not require tortuous calculations, IT managers do not have to appraise the number of fourth dimensions a current threat is likely toIt is easier to involve non-security and non-technical staff though it is important to select as risk assessment team members, this technique does not require that selected team members consist solely of technical me mbers.Flexibility in process and reportingDrawback of Qualitative Risk Assessment TechniquesBelow is a raillery on the drawbacks of qualitative risk assessment techniquesQualitative techniques are essential in nature- i.e. rather than relying on statistical data or state for its results, it is dependent on the quality of the risk management team that created it. The Cost-benefit analysis technique which assists in justifying the need for investing in controls is not used in qualitative risk assessment. It does not differentiate sufficiently betwixt important risks.Attributes of Qualitative Risk AssessmentsQualitative risk assessment techniques stretch forth a relatively faster process when compared with quantitative techniques its emphasises are on descriptions as against statistical data, as such, teams members need not be likewise technical to take part in a qualitative analysis process.In addition, values from a qualitative risk assessment are not actual values. In other wo rds, they are perceived valued. Finally, its findings are simple and expressed in relative terms understandable by non-technical people therefore requiring little or no training onwards its results can be understood.Qualitative Risk Assessment Tools / TechniquesA number of weapons are available for carrying out qualitative risk assessment a few of them are discussed belowProbability and impact matrix the probability and impact matrix illustrates a risk rating assignment for identified risks. Each risk is rated on its probability of occurrence and impact upon objective.Risk probability and impact assessment using this tool involves the risk analysis team rating the projects risks and opportunities .Ishikawa (Fishbone cause and effects diagrams) the cause and effect diagram can be used to seek all the possible or actual causes (or inputs) that result in a single effect (or output). This tool can be used for identifying areas where there maybe problems and to examine causes of risks . affliction Mode and Effect Analysis (FMEA) the FMEA method starts by considering the risk events and and then proceeds to predict all their possible effects in a chart form. Quantitative Risk AssessmentIT security managers as conclusion makers are susceptible to biased perception. as such, they require a instrument of accurately determining risks such that potential risk factors are not overlooked this hence the need for quantitative risk assessments.Quantitative risk analysis generally follows on from the qualitative risk analysis process. It aims to numerically analyse the probability of each risk and its consequence on the project objectives as well as the extent of overall project risk.Quantitative Risk Assessment TechniquesIn quantitative risk analysis processing, techniques such as Monte Carlo and Bayesian simulations can be employed because they provide indispensible tools to the risk assessment team.These tools assist the team in determining the probability of achieving a specific project objective. They are equally used to quantify the risk exposure for the project and determine the size of cost and enumeration contingency reserves that may be needed. Additionally, they identify the risks which require the most attention by quantifying their relative contributions to project risk.Advantages of Quantitative Risk AssessmentUsing quantitative assessments IT managers are able to present the results of risk assessment in a straight forward manner to support the accountancy based presentation of senior managers. As results are statistical in nature, it aids in determining whether an expensive safeguard is worth purchase or not. The process requires the risk assessment team to put outstanding effort into assets value definition and mitigation as a result its results are based substantially on independently objective processes and metrics.Finally, carrying out a quantitative risk analysis is fairly simple and can easily follow a template type approac h.Drawbacks of Quantitative Risk AssessmentCalculations involved in quantitative risk assessments are complex and time consuming. Its results are presented in monetary terms only and as such, may be difficult for non-technical people to interpret. The process requires expertise so participants cannot be easily coached through it. Impact values assigned to risks are based on opinions of participants.Attributes of Quantitative risk assessmentAccuracy of results from quantitative risk assessment tends to increase over time as the organisation builds historic record of data while gaining experience. Results generated from a quantitative assessment are financial in nature, making quantitative techniques useful for cost benefit analysis.Quantitative Risk Assessment ToolsDecision Trees Analysis the decision tree is a useful tool for choosing an option from alternatives. It is used to explore different options and the outcome of selecting a specific option.Sensitivity Analysis This techniqu e is used to determine the risks which are likely to have the highest impact on the project. In sensitivity analysis, the effect of each risk is examined while retentivity all other uncertain elements at baseline values.Striking a BalanceAs already highlighted above, both approaches to risk management have their advantages and disadvantages. Certain situations may call for organisations to adopt the quantitative approach. Conversely, smaller organisations with particular resources will probably find the qualitative approach better fitting.Furthermore, in selecting a risk analysis technique, IT security managers should select a technique that best reflects the needs of the organisation. The decision on which risk analysis technique to use should depend on what the manager is attempting to achieve.It is this suggestion of this paper that an integration of qualitative and quantitative risk analysis techniques be adopted by IT security managers to create a more comprehensive analytica l approach. This can be understood as a Hybrid Risk Analysis Approach.Capturing risks and selecting controls are important, however more important is an effective risk assessment process establishing the risk levels. Before an organisation can decide on what to do, it must first identify where and what the risks are. Quantitative risk analysis requires risk identification after which both qualitative and quantitative risk analysis processes can be used separately or together. Consideration of time and budget availability and the need for both types of analysis statements about risk and impact will determine which method(s) to use.