Summary

  • Quantitative risk assessment translates cybersecurity risk into financial terms.
  • You can use the output of a quantitative risk assessment to decide on your risk response: avoiding the risk, accepting the risk, transferring the risk or mitigating the risk.
  • A risk appetite framework allows you to handle nuanced or ambiguous cases where the appropriate risk response is unclear.
  • Collectively, these processes help organizations strike a balance between security imperatives and business objectives.

Quantitative risk assessment offers an objective approach to risk analysis – but understanding the risk is only the first step. This article will break down how to interpret the results and translate those insights into meaningful decisions in a real-world environment.

(While this article doesn’t cover how to perform a quantitative risk analysis, you can go through the process in depth in our Guide to Data-Driven Risk Assessment.)

Understanding risk quantification

First things first – what is quantitative risk assessment, anyway?

What is risk quantification?

Quantitative risk assessment (sometimes abbreviated as QRA) assigns a dollar value to a cybersecurity risk based on its potential impact and likelihood. It asks the question: If this asset is exposed through this vulnerability, what will it cost us? In contrast to qualitative methods, which sort risks into categories of severity, a quantitative approach provides a more objective picture.

Why does this matter? Qualitative cybersecurity risk assessments leave much more room for interpretation. Translating risk into the language of the business – i.e. dollars and cents – removes much of this ambiguity and helps non-security leaders understand what a “high” risk really means in context.

How does risk quantification fit into the larger cybersecurity strategy?

Quantifying risk is an essential tool for managing exposure, but it’s not the end goal. Instead, it forms the foundation for making risk mitigation decisions.

For example, when you're able to present risk exposure as, say, "$1.5 million in potential damages due to a vendor using unencrypted cloud communication," it becomes easier to weigh your options for responding to that risk, which we’ll explore in more detail later in this article.

Interpreting quantitative risk analysis: key elements

There are a few key elements of a quantitative risk analysis that are important to understand in order to interpret the results.

  • Asset value (AV): What the asset being protected is worth to your organization.
  • Exposure factor (EF): The percentage of the asset value that may be lost or compromised if the risk materializes.
  • Annualized rate of occurrence (ARO): How frequently you expect that risk to materialize annually. (This may be less than 1 for risks that materialize less than once a year.)

These three figures allow you to calculate:

  • Single loss expectancy (SLE): The financial value that would be lost in a single threat event if the risk materializes. You calculate this value using the formula AV x EF.
  • Annual loss expectancy (ALE): The financial value that would be lost annually if the risk materializes. You calculate this value using the formula SLE x ARO.
  • Residual ALE: The financial value that would be lost annually if the risk materializes after applying mitigations. Mitigations reduce EF, ARO or both, but the calculations otherwise remain the same.

ALE is the main output of the risk analysis, and it’s the most important figure that you’ll use to weigh your risk response options. But it’s not a perfect number, which is why there’s one more key element: uncertainty.

AV, EF and ARO are all estimates. Ideally, they’re very close estimates, based on careful research, but still estimates. The level of confidence you should have in those estimates is usually represented by a confidence level (e.g. 80%), followed by a list of unknowns.

Where the rubber meets the road: risk response

So far, we’ve covered how to interpret a quantitative risk assessment. But the ultimate purpose of risk analysis is to decide what to do about that risk.

All risk responses broadly fall into one of four categories: avoid, accept, transfer or mitigate.

Avoid

Avoiding the risk means eliminating the exposure entirely. It’s the only risk response that actually reduces the risk to zero. In practical terms, this means shutting down a risk-bearing process or system.

Avoidance is basically a nuclear option, and it’s rarely feasible. For example, you can reduce the risk of phishing to zero by shutting down all external email exchange. If you’re working with matters of national security, this might actually be worth it. For the rest of us, this would bring business operations to a screeching halt.

Your risk analysis might support this response in two situations: if the ALE is so extreme that no mitigation strategy can reduce it to an acceptable level, or if there is a 1:1 alternative to the risk-bearing process or system that would reduce the EF or ARO to zero.

Accept

Accepting the risk means choosing to do nothing. While this might sound unreasonable at first blush, it’s an option that deserves serious consideration.

There’s one very straightforward scenario in which accepting the risk is your best option: when the cost of mitigation exceeds the residual ALE (i.e. the ALE after mitigation). In this situation, it costs more to protect your organization than it stands to lose.

But there are also more nuanced situations in which acceptance makes sense. These take into account the opportunity cost of mitigating a risk, whether that’s narrowly focused on the security team or an opportunity cost for the business as a whole.

No security team has unlimited resources. Acceptance is a reasonable (if uncomfortable) option if choosing to mitigate this risk means diverting resources away from addressing a more concerning exposure. Especially when the mitigation strategy is very manual and would demand many staff hours to implement, what are they not doing so they can devote their time to this effort?

There’s also a broader opportunity cost to consider, which is what opportunities the business would have to give up in order to mitigate or avoid the risk. In other words, acceptance might make sense when the business opportunity is greater than the ALE. This could be the case if, say, you opened a data center in a foreign country to provide cloud services to a new market. While it opens you up to new security risks, there’s a clear business benefit.

Transfer

Transferring risk means putting the burden onto another party, usually cybersecurity insurance. Broadly speaking, transferring risk to insurance is an option when insurance costs less than your ALE – but there are a few caveats.

First, insurance only covers the financial cost of a security incident. There are legal and reputational damages associated with security incidents as well. If your ALE factored in these damages and assigned them a dollar value (which, ideally, it did), then you’ll need to break down that number to look only at the immediate financial costs. Transferring the risk makes sense when the financial risk is high, but the legal and reputational risks are low.

Second, insurance will almost certainly require you to have some security controls in place, and it might also cease coverage for recurring incidents. This means you will need to add the cost of those controls to the cost of insurance, possibly changing your calculation. It also means that transferring risk to insurance can only be a temporary measure for a risk with a high ARO.

Mitigate

Mitigation is your most proactive response, in which you reduce your exposure by applying security controls, patching vulnerabilities, correcting misconfigurations, etc.

Mitigation won’t eliminate your exposure – the only way to do that is to avoid the risk altogether. Instead, mitigation lowers your risk by taking steps to reduce your EF, your ARO or both. You can then calculate a new ALE, known as your residual ALE.

In general, mitigation is a strong option when the difference between the original ALE and the residual ALE is greater than the cost of mitigation.

Incorporating risk appetite (or how to handle edge cases)

Not every risk assessment will offer you a clear-cut choice of response. There will always be cases where the margins between two options are slim or the uncertainty level is high. Incorporating risk appetite will help you make sense of those edge cases. Risk appetite is not usually part of a risk analysis, but it’s a useful frame through which to interpret that analysis.

(If your organization doesn’t already have their risk appetite documented, you can use this editable risk appetite statement template as a starting point.)

Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives. A high risk appetite means being open to accepting greater risks for possibly higher rewards, while a low risk appetite means you prefer reducing risk as much as possible. Risk appetite exists on multiple dimensions: you may have a high appetite for operational risk but a low appetite for compliance risk.

Within each of these dimensions (security risk, compliance risk, innovation risk, etc.), there are several key factors to consider:

  • Risk capacity is the maximum amount of risk that an organization can bear, typically decided by financial resources, operational capabilities and regulatory restraints.
  • Risk tolerance is an acceptable deviation from its target.
  • Risk thresholds are “red lines” that indicate the need for a change of strategy.

The threshold between tolerance and capacity, or even between degrees of tolerance, can help you sort through the gray areas, where it is unclear which is the appropriate risk response.

Turning insights into action

Understanding a quantitative risk assessment is only the first step – the real value comes from using those insights to take action. Whether it’s risk avoidance, acceptance, transfer or mitigation, the goal is the same: to balance security risks against business priorities so you can take decisive action.

FAQ

What is quantitative risk assessment? Quantitative risk assessment, sometimes abbreviated QRA, is a formal process for assigning a financial value to a cybersecurity risk, based on its potential impact and the likelihood of occurrence.

What is annual loss expectancy? Annual loss expectancy is the main output of a quantitative risk assessment. It’s the financial value that would be lost annually if this risk materializes. It is calculated using the formula Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO), where single loss expectancy is Asset Value (AV) x Exposure Factor (EF).

What is risk appetite? Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives. It influences risk response decisions by providing a framework for evaluating tradeoffs between security risks and business priorities.