CEB Blogs


Information Risk

How and When to Quantify Information Risk

It's not helpful to assign a monetary value to every risk, but for more serious or complex situations it can clarify decisions or rally people behind a course of action

Risk quantification is not impossible, it’s just misunderstood. Most people think of risk quantification as the practice of assigning a dollar value to information risk, but even ranking different types of risk into an ordinal scale (first, second, third, etc) involve a degree of quantification.

Instead, it helps to think of risk quantification as a practice with varying degrees of effort yielding varying degrees of precision. While most situations call for less precision, there are some information risk topics in which a more rigorous and quantified approach is appropriate, not least to justify Information Security’s reasoning for choosing one strategy over another.

When to Add More Rigor to Risk Assessments

One of the most important steps in risk quantification is knowing when to add more rigor to risk assessments, and the criteria below will help work out when doing is more advantageous and/or practical.

  1. Advantageous: Adding rigor to quantifying risk is advantageous when a chief information security officer (CISO) answers “yes” to more than one of the following questions:

    • Does the assessment feed into a resource allocation or other type of monetary decision made by an external stakeholder (e.g., a cyber insurance contract negotiation, a conversation with auditors on why risks were accepted)?

    • Is Information Security directly competing for funding with other risk functions?

    • Does the assessment feed into a resource allocation or other type of monetary decision made by the information security team (e.g., should Information Security acquire the tool that costs x dollars to mitigate y risk)?
    • Is there pressure from a business stakeholder to come up with a precise assessment of the urgency and magnitude of x risk because an important decision rides on it?

    • Does Information Security want to change a consensus view around the immediate urgency of x risk and instead focus attention on y risk?

  2. Practical: Adding rigor to quantifying risk is practical when a CISO answers “yes” to all the following questions:

    • Is there a precedent for the risk event in question?

    • Is information/data about the risk available within the company or industry?

    • Is the necessary process infrastructure in place (e.g., does Finance maintain a history of loss events by incident type)?

    • Can subject matter experts (SMEs) who can provide greater precision to the risk assessment be identified?

How to Add More Rigor: Time to Play FAIR

After deciding if adding more rigor to a risk assessment is appropriate, the next step is deciding how to do it. After speaking with dozens of CISOs, it’s clear that one good method is Factor Analysis of Information Risk (FAIR). FAIR sets itself apart from other risk quantification methodologies that try to put a hard financial figure on risk because it does three important things (see chart 1).

  • It decomposes risk to make estimation more reliable.

  • It uses ranges rather than point values.

  • It uses confidence assessments of estimates.

Chart 1: Summary of the benefits, drawbacks, and applications of FAIR  Source: CEB anlaysis


More On…

  • Information Risk Management

    The rising importance of information risk has dramatically changed the opportunities for CISOs. Information Security budget and headcount have increased more than 200% in the past four years. Learn how to make the most of all those resources.

Leave a Reply



Recommended For You

Information Risk: How to Manage the Company’s Demand for Your Services

Information security teams are busier than ever. To cope, they need to automate or outsource...