60-minute exercise for key vendor and provider stakeholders helps reveal ROI
We receive many questions about risk analysis, how to demonstrate ROI for security solutions and show a solution is effective at reducing risk (an event that could result in financial loss or adverse business impact). This new Yankee Group model debunks the myth that risk analysis is a long process that requires an asset inventory, asset valuation and detailed vulnerability assessments. Qualitative risk analysis is the simplest method available for demonstrating ROI or reduction of risk (ROR).
The model, an exercise for key stakeholders, takes about an hour to complete. It is useful to vendors and providers looking to show product or service ROI, and is valuable to executives seeking a better understanding of their security risks and controls.
The Five-Step Qualitative Risk Analysis Model
Step 1: Define the scope and identify risks
Define the asset(s) you are protecting (such as your computer, application or network). Identify the risks to that asset in the areas of confidentiality, integrity, availability and accountability (these terms are defined below in bold). Prioritize each risk using a scale that makes sense to you, using designations such as high, medium and low. If you know the potential financial loss associated with that risk, you can assign a dollar amount.
Answer this question: "How critical is this risk?" rather than "Given the controls in place, how critical is this risk?"
Example 1: A small consulting company assesses the risk to their network:
Step 2: Identify controls
List the controls that you have used to mitigate the risks identified in Step 1.
A control is any action you have taken to prevent risks. This includes policies, procedures and technical controls. These are the controls for our small network example:
This network has three primary controls for ensuring integrity and availability (firewalls, anti-virus and network access control), and three primary controls for maintaining confidentiality and accountability (encryption, application access control and policy).
Step 3: Identify vulnerabilities
List the vulnerabilities of the current controls. A vulnerability is anything that reduces the effectiveness of a control or otherwise increases the likelihood of the risks occurring. Vulnerability can result from controls that are not configured correctly, controls that cannot be verified as effective, and missing controls.
In our example, these vulnerabilities underscore real-world problems with controls, such as:
The vulnerabilities we identified for this network are associated with the controls we use primarily for ensuring the integrity and availability of our network. We also identified these as our greatest risks in Step 1.
Step 4: Adjust controls
Identify risk-mitigation steps or opportunities for further risk reduction. In our example, we propose the following risk-mitigation steps to complement existing controls and further reduce our greatest risks:
Step 5: Estimate ROR
A basic ROR calculation for vulnerability intelligence services uses the potential loss amounts from Step 1 and estimated values for control effectiveness.
The estimates for control effectiveness don't actually affect the ROR result. ROR is a function of potential loss and the change in control effectiveness. If the proposed controls are 20 percent more effective at addressing risks, the reduction of risk is 20 percent of the potential loss amount (see Exhibit 2).
We estimate that adding a new control, vulnerability intelligence, will increase the effectiveness of our integrity and availability controls by 20 percent. This translates to a 20 percent reduction in downtime, a 20 percent decrease in virus infections, or a 20 percent reduction in time spent patching or fighting virus infection. These metrics can be used to validate this calculation and verify that we have reduced risk.
We estimate that adding the vulnerability assessment service will increase the effectiveness of our confidentiality, integrity and availability controls by 10 percent. This translates to a 10 percent reduction in the number or severity of reported vulnerabilities or a 10 percent reduction in downtime.
Conclusions
Qualitative methods are the simplest form of risk analysis. Their advantage is how quickly and easily they provide a result. Qualitative risk analysis accepts the subjectivity of risk analysis, and doesn't require precise asset values.
In our example, we identified opportunities for risk reduction and achieved an understanding of our current state. We can continue to refine the estimates for potential loss, taking into account the probability that a particular risk will occur and the actual costs associated with it. A qualitative approach is valuable because it provides an intuitive sense of the risks and directly correlates risks with mitigating controls. This method of ROR calculation is unique because it pinpoints the security metrics we can later use to verify our decision.
Vendor Recommendations
Enterprise Recommendations
Weitere Informationen erhalten Sie bei der Yankee Group . Bitte wenden Sie sich dafür an reportinfo@yankeegroup.de .