Information Security Forum Releases "Using Quantitative Techniques in Information Risk Analysis" Report
October 2018 by Information Security Forum
The Information Security Forum (ISF), the trusted source that senior security professionals and board members turn to for strategic and practical guidance on information security and risk management, today announced the release of Using Quantitative Techniques in Information Risk Analysis.
Their latest report helps organizations to extract value from uncertainty by accurately estimating and calculating their information risk. While qualitative techniques are still encouraged by the ISF for many organizations, the possibilities presented in Using Quantitative Techniques in Information Risk Analysis provide an alternative method which delivers value through the application of rigorous and testable techniques that enable organizations to accurately measure their exposure to loss. The report explains three techniques - estimating, calibrating and reviewing - that are essential for understanding and undertaking quantitative information risk analysis.
"To direct investment and manage exposure to loss, organizations need to embrace the unknown - learning how to measure and reduce their uncertainty," said Steve Durbin, Managing Director of the Information Security Forum. "Quantitative techniques provide an arsenal of tools that account for uncertainty, with the potential for accurate measurement of information risk to direct meaningful decision making. These techniques have been tested through trial and error in numerous industries - insurance, healthcare, oil and finance -and can be used with the promise of accumulative value over time."
Risk is inherently uncertain, however, many approaches to information risk analysis conceal uncertainty through inconsistent terminology and inaccurate models, leaving organizations unaware of their true risk posture and resigned to directing investment with scant evidence. Due to cultural precedent and/or regulatory demand, some organizations may be required to use qualitative terminology to categorize loss bandings and/or prioritize risks. To report quantitative losses qualitatively, organizations may use familiar labels, such as low, medium or high, or traffic light scoring, including green, amber or red, to describe the bandings of loss.
Using Quantitative Techniques in Information Risk Analysis is informed by ISF research into leading organizations’ efforts to use quantitative techniques in information risk analysis. The report enables organizations to gain value by:
* Providing techniques that are essential for understanding and undertaking
quantitative information risk analysis
* Demonstrating how quantitative information risk analysis can be conducted to provide accurate and informative results
* Presenting ways in which the results of quantitative information risk analysis can be communicated to support decision making
To ensure information risk analysis delivers value, organizations should adopt the ISF Approach for Using Quantitative Techniques in Information Risk Analysis. The ISF Approach sets out a scenario-led analysis, which calculates information risk to provide accurate results and demonstrates how modelling information risk can communicate results to support decision making, directing effective mitigation and return on investment for organizations. Scenario-led analysis helps organizations to adopt a defined vocabulary and quantified metrics that exploit a robust, mathematical calculation. This approach provides accurate results that direct effective mitigation and Return on Investment (ROI) for the organization.
"As maturity grows, organizations should seek a new direction, building models that improve probabilistic outcomes, retain knowledge and reduce error. With repetition, organizations can develop a model which scales and preserves expert opinion," continued Durbin. "Using a model that can be measured enables organizations to identify where improvement is required and where value is being delivered."
Using Quantitative Techniques in Information Risk Analysis is available now via the ISF website.