Information security community has been performing risk assessment for as long as the profession existed. The risk assessment is typically classified as qualitative (e.g. Critical, High, Medium, Low) or quantitative (a dollar amount). Risk scoring is a relatively new phenomenon where a score (number) is assigned based upon available data and numerical calculations. Scoring system and method could be very different depending upon a particular method. For example, you may see scores between certain ranges in one system and scores without range in others.
Why is methodology important?
Business outcomes may be different depending upon which methodology we pick. Each method has its advantages and drawbacks.
- Qualitative methods usually incorporate some level of subjectivity based upon the risk assessor’s experience. However it could be done with relatively ease and at high speed, taking less time for completion.
- Quantitative risk assessment methods do involve more complicated math. Since large sets of data are not available, the risk assessors still make some assumptions in the inputs giving an impression of subjectivity. Implementing quantitative risk assessment “at scale” is difficult as it takes more time to perform.
- Risk scoring methods differ quite a bit in their implementations. Many vendors are not transparent about their underlying formulas used for scoring. However, methods exist to perform risk scoring based upon available data instead of assumptions. The main advantages are eliminating subjectivity and ability to perform risk scoring at scale.
A decent risk assessment methodology could be a combination of qualitative, quantitative and scoring methods.
What factors to consider?
When considering which risk assessment methodology to adopt, following are a few considerations.
- Staff experience in performing risk assessment.
- Speed at which risk assessment is needed.
- Tools available for risk assessment.
- Ability to collect data for risk scoring. The data may include vulnerability scanning, endpoint detection and response systems (EDR) data, penetration testing results, patch management data, asset management, coverage of security agents (or lack of it) and so on. The more data is available, the better the score.
My personal preference is to use risk scoring in combination of qualitative risk assessment performed in assessments like penetration testing.