Quantitative v. Qualitative Measurements of Risk

While most MSSPs have a surface-level understanding of their customers’ “risk,” rarely do they invest the time to understand the implications. In particular, many organizations have a hard time differentiating between quantitative and qualitative risk, as well as the divergent impacts each can have on various parts of the business.

With that said, what are the distinctions between the two risk measurements, and why do you need to know the difference?

What Is Quantitative Risk?

Quantitative risk analysis involves assigning a defined dollar amount to a particular risk.

For example, if one of your customer’s keeps 500 confidential patient records on a server, you should work with them to conduct a business impact analysis to determine the replacement cost of each record. This would include expenses associated with informing patients of the attack, changing patients’ ID numbers, printing out new health cards and so on.

That said, while you can attempt to estimate the monetary value of the potential risk of an attack on your customer, you can never quantify the total risk due to the repercussions that will extend beyond the immediate effects of recovery and replacement. Business impact analysis can help you establish a floor for the costs of a cyber attack, but the maximum potential costs are likely uncertain.

What Is Qualitative Risk?

In qualitative risk assessments, analysts assign a rating (rather than a dollar amount) based on the severity of a risk, ranging from informational to critical.

Analysts begin first by developing an understanding of the environment based on information they gather internally and/or externally. Then they put that information into context by leveraging analytics on how users interact with the environment. Based on what is uncovered, different businesses could face the same threat but have a different system risk analytics profile.

As a result, it is more challenging to attribute a specific threshold or value in these cases, since labels are typically fluid and poorly defined.

Another important component of qualitative risk to consider is reputational risk – which comes into play in the immediate wake of the attack. By definition, reputational risk has a more lasting “ripple effect” on a business, as it pertains what happens in the aftermath of an event. Reputational damage can come in many forms, including reduced sales potential, lost deals, negatively impacted earnings, as well as eroded investor and consumer confidence.

Final Thought

Many organizations do not have the budget or expertise to handle their IT security needs in-house, so they look to you, managed security service providers (MSSPs) and outside vendors, for help. As an MSSP, you will want to know the contextual knowledge about your clients’ business, such as why the environment is configured a certain way, what dictates the layout or the architecture and how the business is ideally run.

You may be monitoring their environment and addressing their top daily priorities effectively, but without your client’s insight, you will be flying blind. As an MSSP, your organization is charged with overseeing the health of your customers’ IT security ecosystem, and you will require institutional knowledge to help deliver a true assessment as to the qualitative and quantitative risks of any given situation.

Empower your clients with both quantitative and qualitative risk assessments built by the context of their unique business, and revise and revisit that information on a regular basis.