Qualitative vs. Quantitative Risk Assessment
U.S. Industries, Inc. has just won a contract with the U.S. Government to expand an existing network. U.S. Industries has never traded with the U.S. Government at this level before, thus we must gain an understanding of the qualitative and quantitative risks surrounding this project. We must also look at Operations, Audit, Compliance, Budgeting and the many other facets of business that we may be able to map out all of the components used to assign a proper risk rating to this project.
Quantitative risk assessment begins when we have the ability to apply a dollar amount to a specific risk. If the project was to be finished a month early ...view middle of the document...
The quantitative value on this project is $$30 million; given that there may be up to one million records stored on the database; 1,000,000 records X $30 per record = $30 million. This brings us back to our qualitative risk rating.
Reputation risk is the impact on earnings and investor or consumer confidence as a result of negative publicity to the business. In our situation, the most likely cause is an unauthorized disclosure of customer data due to system or network compromise. The negative impact of such an event could easily surpass the monetary loss associated with our quantitative risk assessment.
At this point we have introduced a myriad of elements into our risk assessment. Given the simplicity of our outsider threat vector through SQL Injection, the fact that this form of attack is not often detected by system logs and Intrusion Detection tools, the reputation risk associated with going public with 500K compromised records and the probability that this attack vector is likely to be repeated once discovered, we can easily assign a qualitative risk level of "High." We now have a quantitative risk assessment value of $15 million and a qualitative risk level of "High."
We calculate the Single Loss Expectancy (SLE) by taking the value of an asset which would be a single record at $30, then take the Exposure Factor, which is 1,000,000 records, and multiply the Asset Value by the Exposure Factor and come back to our value of $30 million. From there we...