Quantitative risk has become a growing field of interest for information security professionals. This is good news, as I strongly believe that this is the right approach to perform meaningful information risk assessments.
The first time I discovered quantitative risk was by picking up a book in the library called The Failure of Risk Management.1 The book validated my concerns over the classical approach to risk management for information security that used qualitative indicators such as high, medium and low. As a practitioner of information risk management, I could not hide my disappointment amongst my peers and was really hopeful there might be a better way.
After reading Hubbard’s book, I obtained a master's in information risk, in which I had an enlightening course called quantitative risk analysis. I then decided to bring some quantitative risk concepts to my organization and perform a pilot risk assessment comparing the outcome of both a qualitative and quantitative assessment on the same business application.
The outcome of this pilot risk assessment was shared amongst my peers within my organization, as explained in my ISACA Journal article. A lot of interest was given in my organization from the key stakeholders: business application owners, IT application owners and the chief information security officer (CISO). My model deliberately took a simple probabilistic approach rather than a more advanced one as praised by quantitative experts, as I did not have the necessary time to delve into the realm of probabilistic analysis.
I still feel very passionate about the need to further develop quantitative risk analysis for information security. Quantitative analysis is already used extensively in other fields such as finance, healthcare and insurance, so there is no reason why the same approach cannot be applied to information security.
Read Benoit Heynderickx's recent Journal article:
"Evolving From Qualitative to Quantitative Risk Assessment: A Practitioner’s Dilemma," ISACA Journal, volume 4, 2019.
1 Hubbard, D. W.; The Failure of Risk Management: Why It’s Broken and How to Fix It, Wiley, USA, 2009