定性和. 定量风险评估

Volkran Evrin
作者: Volkan Evrin, CISA, CRISC, COBIT 2019基金会, CDPSE, CEHv9, ISO 27001-22301-20000 LA
发表日期: 2021年10月19日

With the ongoing impact of the COVID-19 pandemic in today’s business ecosystem, the value of decision making by using risk-oriented thinking has emerged more clearly and precisely. There is not a field of business that does not feel the contribution of risk assessment results, from information security to business continuity and resilience.

One of the most difficult decisions for a risk practitioner or risk manager is determing the most appropriate assessment method to use in the risk analysis process. Many different risk analysis methods have been used effectively and efficiently over the years. 然而, it can be challenging to make the final decision depending on the character of the asset/process subject to risk and the type and size of the risk-related data available.

In general, it is neccessary to first understand how to use risk-based thinking. 然后, it becomes easier to decide which risk analysis can make the highest contribution to risk assessment, depending on an organization’s expertise in business 流程, 技术基础设施, the tools used and the quality and reliability of the data available.

第一个, 资产之间的关系, 流程, 威胁, vulnerabilities and other factors are analyzed in the risk assessment approach. 有许多可行的方法, but quantitative and qualitative analysis are the most widely known and used classifications.

Qualitative risk analysis can be generally performed on all business risk. The qualitative approach is used to quickly identify risk areas related to normal business functions. Although the biased attitudes of staff or the lack of work experience can sometimes make the process difficult, qualitative risk analysis generally strengthens an effective risk assessment approach.

If there is an environment where decisions must be made based on data, it would be the most logical decision to use quantitative risk analysis methods. Quantitative risk analysis provides more objective information and accurate data than qualitative analysis because quantitative risk assessment is based on realistic and measurable data used to calculate the impact values that the risk will create with the probability of occurrence. The most common problem in quantitative assessment is that there is not enough data to be analyzed. There also can be challenges in revealing the subject of the evaluation with numerical values or the number of relevant variables is too high. This makes risk analysis technically difficult.

When determining whether to use a quantitative or a qualitative approach, you will find positives and negatives to both options. Qualitative risk assessment is quick to implement due to the lack of statistical/numerical dependence and measurements, 并且可以很容易地执行. It is also beneficial if employees are experienced in asset/流程; however, they may also bring biases in determining probability and impact. Qualitative risk analysis is quick but subjective. 另一方面, quantitative risk analysis is objective and has more detail, contingency reserves and go/no go decisions, 但它需要更多的时间和更复杂. Quantitative data are difficult to collect and can be prohibitively expensive.

By adopting a combined approach and considering the information and time response needed with the data and knowledge available, it is possible to enhance the effectiveness and efficiency of the risk assessment process, and conform to the organization’s requirements to achieve desired security levels.

编者按: For further insights on this topic, read Volkan Evrin’s recent Journal article, “Risk Assessment and Analysis Methods: Qualitative and Quantitative,” ISACA杂志,第二卷,2021年.

别忘了,澳门赌场官方软件可以 免费获得CPE 来自ISACA期刊的测验!

ISACA杂志