The Information Security Forum (ISF) announced the
release of Using Quantitative Techniques in Information Risk Analysis.
Their latest report helps organizations to extract value from uncertainty by
accurately estimating and calculating their information risk. While qualitative
techniques are still encouraged by the ISF for many organizations, the
possibilities presented in Using Quantitative Techniques in Information Risk
Analysis provide an alternative method which delivers value through the
application of rigorous and testable techniques that enable organizations to
accurately measure their exposure to loss. The report explains three
techniques - estimating, calibrating and reviewing - that are essential for
understanding and undertaking quantitative information risk analysis.
"To direct investment and manage exposure to loss, organizations need to
embrace the unknown - learning how to measure and reduce their uncertainty,"
said Steve Durbin, Managing Director of the Information Security Forum.
"Quantitative techniques provide an arsenal of tools that account for
uncertainty, with the potential for accurate measurement of information risk to
direct meaningful decision making. These techniques have been tested through
trial and error in numerous industries - insurance, healthcare, oil and finance
-and can be used with the promise of accumulative value over time."
Risk is inherently uncertain, however, many approaches to information
risk analysis conceal uncertainty through inconsistent terminology and
inaccurate models, leaving organizations unaware of their true risk posture and
resigned to directing investment with scant evidence. Due to cultural precedent
and/or regulatory demand, some organizations may be required to use qualitative
terminology to categorize loss bandings and/or prioritize risks. To report
quantitative losses qualitatively, organizations may use familiar labels, such
as low, medium or high, or traffic light scoring, including green, amber or
red, to describe the bandings of loss.
Using Quantitative Techniques in Information
Risk Analysis is
informed by ISF research into leading organizations' efforts to use
quantitative techniques in information risk analysis. The report enables
organizations to gain value by:
- Providing techniques that are essential for understanding and
undertaking quantitative information risk analysis
- Demonstrating how quantitative information risk analysis can be
conducted to provide accurate and informative results
- Presenting ways in which the results of quantitative information
risk analysis can be communicated to support decision making
To ensure information risk analysis
delivers value, organizations should adopt the ISF Approach for Using
Quantitative Techniques in Information Risk Analysis. The ISF Approach sets
out a scenario-led analysis, which calculates information risk to provide
accurate results and demonstrates how modelling information risk can
communicate results to support decision making, directing effective mitigation
and return on investment for organizations. Scenario-led analysis helps organizations to adopt a defined vocabulary
and quantified metrics that exploit a robust, mathematical calculation. This
approach provides accurate results that direct effective mitigation and Return
on Investment (ROI) for the organization.
"As maturity grows, organizations
should seek a new direction, building models that improve probabilistic
outcomes, retain knowledge and reduce error. With repetition, organizations can
develop a model which scales and preserves expert opinion," continued Durbin. "Using a model that
can be measured enables organizations to identify where improvement is required
and where value is being delivered."
Using Quantitative Techniques in Information
Risk Analysis is
available now via the ISF website.