Quantitative Risk Assessment 101

Quantitative RiskCybersecurity Fundamentals
Written By Corey Neskey

Category

Quantitative Risk, Cybersecurity Fundamentals

Risk Level

 

“Where do I start?”

Getting started with quantitative risk assessment is easier than you might think. 

If you’re calling the shots at your organization, drop ordinal scoring (i.e. using 1, 2, 3 or low, moderate, high) entirely and replace it with dollar amount ranges for impacts and frequency ranges for probabilities. For example:

Quantitative risk assessment example

If you’re not calling the shots at your organization, and you can’t convince your stakeholders to go quantitative, ask them if you can run a pilot quantitative risk assessment alongside your next assessment target.

  • Collect ordinal scores from your estimators like you normally do, but also ask them to provide range estimates.

  • Add a new column, or columns, next to your risk scores to collect the range estimates, like this:

Quantitative risk assessment example with ordinal scoring alongside

“Ok got it, but how can I try it out?”

This is the process at a high level, and you can start doing this today! Try out this starter quantitative risk assessment spreadsheet we developed.

If you need some help with quantitative risk assessments, or convincing your decision makers that this is a better way forward, don’t hesitate to contact us. Hive Systems helps organizations from big to small:

  • Leverage existing resources to go quantitative;

  • Shift organization practices to quantitative;

  • Make the case for quantitative to stakeholders; and

  • Focus on your your strengths while building your foundation for the future.

 

Follow us. Stay ahead.

Read more of the ACT

Featured
Ready, Set, Respond! Planning an Effective Incident Response Strategy.
Ready, Set, Respond! Planning an Effective Incident Response Strategy.

Dwight D. Eisenhower, the 34th U.S. president, once said, 'Plans are nothing; planning is everything.' In this post we’ll dive into the fundamentals of incident response planning, and take it a step further to show how planning for an incident goes beyond just documentation.

Getting Ahead of CMMC with Joint Surveillance Voluntary Assessments
Getting Ahead of CMMC with Joint Surveillance Voluntary Assessments

A JSVA could be the answer your company has been looking for to get ahead of CMMC. Katie, a CCA on our team, helps outline everything you need to know about getting CMMC Level 2 certified - giving your company the advantage before CMMC even starts!

RED ALERT: CMMC Begins December 16th
RED ALERT: CMMC Begins December 16th

The long-awaited CMMC rule has finally been officially published and is accompanied by some beneficial changes from the original draft. We break them down for you so you and your organization can begin to prepare for the imminent enforcement.

Corey Neskey https://www.hivesystems.com/corey-neskey
Previous

Happy Safer Internet Day 2022!
Next

Practical Practices for Data Privacy Week