In the past, risks were sought in production, in processes and people. Today, information is the main foundation on which companies can operate. Most companies have all the data and information in data warehouses, clouds, information systems. If access to data is restricted, the entire company will stop. Information security today has a major impact on the survival of companies. Here arises a new need for risk analysis, which is specifically focused on data and information protection. What risk analysis is suitable for entrepreneurs?

Anyone who has lost data, whether a laptop has fallen to the ground or a server crash, knows that the whole world has stopped for a while. You couldn't make decisions, or you couldn't even produce for hours or days. Some of them start to incur penalties from customers for such an outage. Some of the information and data you need for your business will no longer be recovered and you will need to recreate it. On top of it, you must pay all damages. It would be great if you knew in advance where the worst risks are and how big they are. Everyone can calculate the damage when the problem occurs.

Professionals are able to detect risks in advance and manage them effectively so that damage does not occur on such a large scale. And this is exactly what risk analysis is for. This is the first thing you should do when you realize you have an information security issue / want to address information and data security. But there is risk analysis and risk analysis.

QUALITATIVE ANALYSIS OF INFORMATION SECURITY RISKS

There are risk analyzes that use verbal descriptions or colors that express the risk degree. The output is, for example:

  • Heat maps
  • traffic lights
  • or tables with lists of risks rated as high, medium and low

Their usefulness can be briefly expressed by a picture:

Rather, such outputs serve as a superficial orientation. Unfortunately, they will not help you effectively decide where to start addressing risks and how much it is worth investing.

Simply put, such outputs are not applicable to economic calculation and effective management. In addition, there is a phenomenon called the illusion of communication.

Everyone imagines quite different amounts under the terms high or low risk. For example, the CEO of a company with a turnover of billions has completely different ideas about these terms than the manager responsible for a product development with a budget of 5 million. Quantitative risk analysis completely eliminates these problems.

QUANTITATIVE ANALYSIS OF INFORMATION SECURITY RISKS

Entrepreneurs clearly need to know the following information about individual risks:

  • what assets are at risk
  • how much impact the risk can have - how much the consequences would cost if not addressed
  • how much would it cost to reduce or eliminate it
  • residual risk after the introduction of measures

Of course, they need everything in money, because that is the only way they can calculate what measures they should invest in, how much their business is at risk, or even what the return on measures is.

The output of the quantitative analysis is: If there is a one-day production outage due to an attack / accident, we have an estimated cost of EUR 50,000. Such an outage occurs in about 1 in 5 years. The annualized loss (= risk) is thus based on EUR 10,000. 

The company's management can already work with this information. It is up to them to decide whether this is acceptable or not and whether / how much to invest in addressing this risk.

RISK MODELING

With a clear conscience, I can recommend the international OpenFAIR methodology, which is proven by long-term practice, and I have not come across anything better yet. I used it myself for companies and institutions from a few tens to thousands of employees.

Let's illustrate the simplified use of quantitative analysis with an example where a security manager comes to the company's management with a project to increase the protection of asset A. The management has to decide whether to invest money in the project:

  • for asset A, we identified the risk R, which is estimated to EUR 10 000 000 based on quantitative analysis 
  • we assessed the risk as too high, so it makes sense to consider a risk reduction project
  • the project budget is estimated at EUR 100 000 
  • We enter the adjusted parameters into the risk R calculation model based on the project impact expectations. It turns out that the expected residual risk after the project is done is EUR 200 000
  • If we compare the costs (100 000) with the savings (800 000), we get a return of 8: 1, which obviously pays off and such a project makes sense to implement.

Graphically, this analysis looks like this:

CONCLUSION

Always do a quantitative risk analysis. It will give you better added value in addressing information security risks. Not only will you have all the key risks identified, but you will also know how much to invest in eliminating them or how much you need to have in company reserves to survive a hacker attack. Quantitative risk analysis is more suitable for an effective long-term security management. You will definitely need it when implementing an information security management system according to ISO 27001.

The results must be expressed in money or other units that can be easily converted into money. Definitely don't invent your own models and don't settle for any model whose outputs you don’t understand. You need to be sure that you will be able to use the output of the analysis yourself.