Using qualitative and quantitative methods to assess risk
A 2015 Open Group survey collected data about information risk programs from over 100 organizations. One important insight was that more than half of all surveyed organizations used a combination of both qualitative and quantitative methods for their risk analyses.
In 2014, Gartner conducted research comparing various methodologies for IT risk assessment and analysis (Report ID G00256964). From this research, they found that many organizations have a similar two-tier approach to risk analysis.
I see a similar theme among successful information risk programs, based on my own experience as a FAIR practitioner.
Bottom line: when designing a risk management program, “one size doesn’t fit all”. It is common to see different analysis approaches within the same risk assessments programs.
Example:
Risk teams are often limited in their resources and time. Successful programs need to prioritize their efforts and focus on the assessments that are more meaningful to the organization.
Caution!
Problems often arise when these different analysis methods are based on different risk models. When this occurs, a team may unintentionally re-define what risk is within their own program or, at a minimum, suffer issues with consistency in reporting and communication.
The good news is that this can very easily be avoided using Factor Analysis of Information Risk (FAIR). FAIR, at its heart, is an ontology; an accurate model of risk. We can use it both qualitatively and quantitatively, and within both forms with different levels of granularity and precision.
So go forth and design efficient and effective risk management programs with FAIR as the foundation.
Takeaways