Proceedings of the World Congress on Engineering and Computer Science 2008

WCECS 2008, October 22 - 24, 2008, San Francisco, USA

IT Risk Assessment:
Quantitative and Qualitative Approach
Artur Rot

security of IT systems this problem is totally skipped or has

Abstract— IT risk management currently plays more and no great meaning. It is caused by huge difficulty in conduct
more important role in almost all aspects of contemporary of this process and selection of appropriate methods of
organizations’ functionality. It requires reliable and cyclical measures. That is why in publications from this scope there
realization of its key task which is risk analysis. Literature of
subject presents problems of risk analysis in different way, the
most often are presented simple qualitative methods, where
most often skipped or selectively treated the problem of assessment of Information Technology risk value is
quantitative methods application for the purpose of risk connected only with qualitative description, and definition of
analysis. The article presents the issue of one of the most quality scales for frequencies of threat occurrence or
significant stages of risk analysis which is IT risk assessment, description of so called threats scenarios [12].
especially focusing on chosen quantitative methods such as ALE The aim of this article is to present chosen methods of
(Annual Loss Expected) method, Courtney method, Fisher’s
method, using survey research ISRAM model (Information
Information Technology risk assessment. There will be
Security Risk Analysis Method) and other derived ratios. There discussed chosen quantitative and some qualitative methods
were also shortly presented chosen qualitative methods – of IT risk assessment.
FMEA (Failure Mode and Effects Analysis) and FMECA
(Failure Mode and Effects Criticality Analysis), NIST SP 800-30
method and CRAMM methodology. II. NOTION OF RISK
Index Terms— IT risk, IT security risk analysis methods, Theoreticians and practitioners do not give one universal
qualitative risk assessment methods, quantitative risk definition, thus there exist many of them in the literature.
assessment methods. According to ISACA, the risk is a possibility of occurrence of
event, which will have undesirable effect on a given
organization and its Information Systems [6]. The science
I. INTRODUCTION about the risk is developed in most of scientific disciplines
The risk connected with the wide application of and applied in all technologies. There should be remembered
information technologies in business grows together with the that in different scientific disciplines, the risk is perceived
increase of organization’s correlation from its customers, differently. Also in different forms of business activity we
business partners and outsourced operations. Technological will have individual forms of risk. Other types of risk will
progress generates dependencies which evoke growth of occur in production enterprise and other ones for example in
diversities, complexity, non-descriptiveness and quantity of financial sector.
risk factors. In insufficient investments on information In the context of IT systems security the risk of IT systems
security the issue of IT risk assessment becomes more is overall measure of probability and seriousness of situation,
significant, concentrating on searching optimal proportion in which a given threat uses specific weakness, causing loss
between threats and costs of IT systems protections. In such a or damage of system assets, therefore indirect or direct loss
dynamic development of Information Technologies the time for organization.
needed for appropriate reaction on risk is decidedly IT risk it is the threat that Information Technology applied
shortened. The lack of appropriate preparation may lead the in a given organization (independently from its type and scale
company to collapse, thus appropriate reaction on risk of business activity) [5]:
constitutes about possibilities of survival and development of − Does not fulfill business requirements,
enterprise. The problem of IT risk management is very − Does not ensure appropriate integrity, security and
complex issue. One of the most important stages of this availability,
process is risk analysis, used for optimization, and correctly − Was not appropriately implemented and does not work
for minimizations of losses connected with risk. One of its according to assumptions.
key elements is evaluation stage or risk assessment. The
literature of subject very often skips the issue of quantitative
methods of risk assessment, only concentrating on rare, III. IT RISK ANALYSIS
chosen qualitative methods. Also in literature concerning Analysis of IT risk is undoubtedly key element of the
process of Information Systems security management and
Manuscript received July 22, 2008. therefore management of risk. Publications connected with
Dr Artur Rot is with the Department of Management Information Systems these problems – both domestic and international – seem to
Engineering, Business Informatics Institute, Wroclaw University of
treat it in arbitrary way. It manifests in multitude of
Economics, Wroclaw, Poland (e-mail: [email protected]).

ISBN: 978-988-98671-0-2 WCECS 2008

Proceedings of the World Congress on Engineering and Computer Science 2008
WCECS 2008, October 22 - 24, 2008, San Francisco, USA

definitions of risk analysis, and also in the fact that risk effectiveness as well.
analysis is often identified with its management [12]. Risk Information of such type will always have approximate
analysis is main and the most important process of risk character, however accurate, based on i.e. experiences of
management, identifies and evaluates risk which has to be another enterprises, execution of risk analysis may be very
controlled, minimized or accepted. helpful in realization of next processes of security
Risk analysis is comprehensive identification of threats management in organization. However, very important
and susceptibility if IT system’s assets and determination of problem of estimation and evaluation of Information
the need of its control or acceptance of determined measures Technology risk is left.
at previously stated level. The aim of risk analysis is
provision of information which is indispensable for decision
on application of specified methods, security resources in the IV. IT RISK ASSESSMENT AS AN ELEMENT OF RISK
enterprise. In figure 1 there was presented general model of ANALYSIS
risk analysis. Quantitative and qualitative methods are two fundamental
groups of methods are applied for analysis of risk on which
assets are exposed in organizations. The most important
advantages and disadvantages of IT risk assessment methods
have been presented in table I. Groups of IT risk analysis
methods [10]:
− Quantitative, where estimation of risk value is connected
with application of numerical measures – value of
resources is defined in amounts, the frequency of threat
Fig. 1 Risk analysis model occurrence in the number of cases, and susceptibility by
Source: [11, p. 232] the value of probability of its loss, those methods present
results in the shape of indicators. The examples of
Risk analysis inclines to carry out works in areas [4, p. quantitative methods: Annual Loss Expected, Courtney’s
283-284]: and Fisher’s methods, ISRAM model, etc.
− Resource evaluation (information, software, hardware − Qualitative, which do not operate on numerical data,
and physical resources) – value of resource it is not only presenting results in the form of descriptions,
value of its purchase but also short term effects and long recommendations, where risk assessment risk is
term consequences from its destruction, connected with:
− Assessment of consequences – definition of the degree of − Qualitative description of assets’ value, determination
destruction or losses, which can supposedly occur, of qualitative scales for the frequency of threat
− Identification of threats – analysis of threats should occurrence and susceptibility for a given threat or:
determine probability of its occurrence and possibility of − Description of so called threat scenarios by prediction
resource destruction, of the main risk factors.
− Analysis of protections in the aspect of effectiveness of The examples of quantitative methods: FMEA/FMECA,
existing means of protections, The Microsoft Corporate Security Group Risk Management
− Analysis of susceptibility of particular IS resources, Framework, NIST SP 800-30, CRAMM.
− Assessment of probability, it is frequency of threat Depending on the seriousness of a given threat there can be
occurrence – this mark should embrace presence, applied different risk measures from very simple
duration time and strength of threat, and protections assessments, determining the risk as high, medium and low,

TABLE I.
THE MOST IMPORTANT ADVANTAGES AND DISADVANTAGES OF QUANTITATIVE AND QUALITATIVE METHODS OF IT RISK ANALYSIS

Risk Analysis Quantitative methods Qualitative methods

Chosen − They allow for definition of consequences of incidents − It allows for putting in order risks according to priority.
advantages occurrence in quantitative way, what facilitates realization of
costs and benefits analysis during selection of protections. − It allows for determination of areas of greater risk in a short
time and without bigger expenditures.
− They give more accurate image of risk.
− Analysis is relatively easy and cheap.
Chosen − Quantitative measures depend on the scope and accuracy of − It does not allow for determination of probabilities and results
disadvantages defines measurement scale. using numerical measures.
− Results of analysis may be not precise and even confusing. − Costs-benefits analysis is more difficult during selection of
protections.
− Normal methods must be enriched in qualitative description
(in the form of comment, interpretation). − Achieved results have general character, approximate etc.
− Analysis conducted with application of those methods is
generally more expensive, demanding greater experience and
advanced tools.
Source: [1, p. 107]

ISBN: 978-988-98671-0-2 WCECS 2008

Proceedings of the World Congress on Engineering and Computer Science 2008
WCECS 2008, October 22 - 24, 2008, San Francisco, USA

to very precise indicators presented as probability of a given − Susceptibility of IT system on (or its element) threat,
event occurrence [11, p. 230]. In the case of evaluation of defined as probability measurement of loss occurrence as
information security risk in Information System there is a result of event occurrence.
normally conducted qualitative analysis of risk. This method The most common and most frequently used quantitative
is most often based on information security criteria such as: method of risk assessment is ALE model (Annual Loss
confidentiality, integrity and accessibility. Full analysis of Expected), based on the idea of expected loss, which is the
risk may be carried out separately for each of mentioned product of probability of occurrence of events which have
criterion. For the purpose of analysis there is being fixed negative impact on IT and values of caused by them losses. It
value scale of information (low, medium, high). Finally the is presented in the form of the following models [12]:
value of risk may be defined as e.g. very low, low, medium,
high and very high. ALE = (Probability of event) x (value of loss) (2)
Correct assessment of risk and evaluation of its occurrence
probability gives clear image of its impact on functionality of
the whole Information System. n
ALE = ∑ I (Oi ) Fi (3)
i =1

V. QUANTITATIVE METHODS OF IT RISK ANALYSIS where:

Using quantitative methods analyst stands before the {O1, O2, …, On} – set of negative effects of event;
problem of appropriate assessment of values indispensable I(Oi) – value expressed loss resulting from event,
for calculation. The value of risk can be presented with the Fi – frequency of i event.
use of any type of scales or directly in the financial scope as
predicted amount of losses connected with a given type of Annual predicted loss for organizations will be determined
risk, in assumed period [10]. by the sum of all predicted annual losses. There exist many
Only occasionally happens that the team conducting the other models of IT risk evaluation and assessment, based on
process of IT risk assessment had reliable data, allowing for above method. They are adapted to concrete needs and
realization of such task accurately and without any mistakes situations existing in a given organization. Among such
or problems. Moreover for some resources of assets in methods it worth taking consideration on Courtney’s method
organization, losses presented in amounts are difficult to elaborated by Robert Courtney, based similarly to ALE
precise. It concerns e.g. loss of confidential information. In method on assessment of potential loss as the product of
order to set value there should be defined meaning of losses value connected with occurrence of threat and
information for proper realization of different business indicator determining probability of its occurrence. The
processes and theirs importance for functioning of concept of risk assessment according to Courtney is based on
organizational unit and as a consequence the whole the following formula [5]:
enterprise [10], [2]. Basic correlation applied for IT risk
assessment is presented as follows [10]: R=P×C (4)
where:
R = P × W and P = F × V (1) P – probability of occurrence of a given number of times in
a year, of event causing loss for organization
where: C – loss for a given organization which is the result of single
R – Risk value, occurrence of event causing loss.
P – Probability or predicted number of incident occurrence
causing loss of assets value in defined period , 10 f + i − 3
W – Value of loss – predicted medium loss of assets value, as ALE = (5)
3
a result of single incident occurrence,
F – Frequency of threat occurrence, where:
V – Susceptibility of Information system on (or its element) f – Index defining assessed frequency of event causing loss.
a threat; it is the measure of probability of usage of specified i – Index defining assessed level of loss caused by
susceptibility by a given threat. occurrence of event causing this loss.

It results from the fact that assessment of IT risk is most Presented Courtney’s method distinguishes six general
often represented as the value of expected losses, which is groups of threats like: accidental data reveal accidental
based on definition of three basic volumes [10]: modification of data, accidental removal of data, deliberate
− Resource value (e.g.. information) for correct functioning reveal of data, deliberate modification of data, deliberate data
of enterprise, defined in amounts, removal. This method was accepted by national institutions
− Frequency of threat for resource occurrence (e.g. in United States of America as official method of risk
processed information), defined as the number of analysis [5].
occurrences – in practice for definition of frequency of In the elaboration of [7] there was presented a few
threats there is set a period in which will considered its derivative factors concerning risk assessment, based on
occurrence (most often period of one year). presented expected loss (ALE) method. The ways of its value
determination are presented in table II.

ISBN: 978-988-98671-0-2 WCECS 2008

Proceedings of the World Congress on Engineering and Computer Science 2008
WCECS 2008, October 22 - 24, 2008, San Francisco, USA

Among them there is indicator determining profit from mechanisms is interpreted as operational profit, and assessed
applied protections (S) presented extensively in the work of cost of control mechanism is treated as the value of invested
[8]. Development of Courtney method into complete capital [5].
methodology of designing of Information Systems security The next presented in the article method is ISRAM model
solutions is Fisher’s method elaborated in 1984. In order to (Information Security Risk Analysis Method), based on
apply it correctly there exist a necessity for organization to presented ALE (Annual Loss Expected) method, however
posses information security policy. This methodology using survey researches as the main tool. Assessment of
distinguishes the following phases of the process of information technology risk is done by application of the
Information Systems risk management [5]: following formula [3], [12]:
− Phase 1 – collection of information, (identification and
classification of Information Systems resources, ⎛ ⎛ ⎞ ⎞⎛ ⎛ ⎞⎞
⎜ ∑ T1 ⎜ ∑ wi pi ⎟ ⎟⎜ ∑ T2 ⎜⎜ ∑ w j p j ⎟⎟ ⎟ (7)
collecting information concerning Information Systems ⎜
Risk = ⎜ m ⎝ i ⎠ ⎟⎜ m ⎝ j ⎠⎟
resources which undergo further analysis); m ⎟⎜ n
⎟
⎜⎜ ⎟⎟⎜ ⎟
− Phase 2 – identification of threats (process of threats ⎝ ⎠⎜⎝ ⎟
⎠
mapping (previously mentioned 6 groups of threats from
Courtney’s method) into 11 Fisher control points such where:
as.: acquirement, transmission, change of form, transport, i – the number of survey questions concerning assessment of
reception, processing, migration, removal, data usage probability of occurrence of incidents;
etc.); j – number of questions in survey concerning assessment of
− Phase 3 – risk evaluation (determination of the level of consequences;
risk with the use of Courtney’s method: R = P × C, where: m, n – number of survey’s respondents;
P – probability of occurrence defined number of times in wi, wj – weighs of questions „i” „j”;
a year, of event causing loss for organization; pi, pj – value corresponding to selected answers „i” „j”;
C – loss for a given organization which is the result of T1 – table of probabilities of events occurrence;
single occurrence of event causing loss); T2 – table of negative results of events occurrence.
− Phase 4 – design of control mechanisms (in its result for
every identified risk there should be selected appropriate The example of qualitative method enriched in quality
mechanism of control: preventive, detective or corrective; elements is Parker method, created for the needs of Computer
− Phase 5 – evaluation of economical profitability of Security Institute in 1981, embracing five different
mechanisms (business evaluation of identified fundamental stages:
mechanisms with the use of previously mentioned ROI − identification and evaluation of resources,
indicator – Return on Investment), expressed with − identification of threats,
following formula: − risk assessment,
− identification, selection and implementation of
Operationa l profit in a given period (6) protections
ROI =
Value of invested capital − implementation of protections system.

Determined in this method size of risk for particular control

TABLE II.
EXPECTED LOSS AND CHOSEN DERIVATIVE INDICATORS

No. Factor Symbol Way of value determination

1 Annual Loss Expected ALE n
ALE = ∑ I (Oi ) Fi
i =1

2 Savings – reduction in ALE S S = ALE(baseline) – ALE(with new protections)

3 Benefits B B = S + Profit from new ventures
4 Return on Investment ROI B
ROI =
C
C – costs of protections
Return on Security Investment ROSI (RiskExpos ure × %RiskMitig ated) − SolutionCo sts
5 ROSI =
SolutionCo sts
Internal Rate of Return IRR n
VAt − Ct
C0 = ∑
t =1 (1 + IRR) t
6
C0 – initial cost of investment,
Ct – cost of investment in t year.
Source: own elaboration on the basis of [7], [12]

ISBN: 978-988-98671-0-2 WCECS 2008

Proceedings of the World Congress on Engineering and Computer Science 2008
WCECS 2008, October 22 - 24, 2008, San Francisco, USA

In risk assessment the Courtney’s method is used, rebuilt TABLE III.

with Exposure Analysis Matrix. Basis of this method is THE EXAMPLE OF MATRIX ACCORDING TO NIST METHODOLOGY
assumption that significance of threats is the function of Probability Results
number of people who may cause a loss, what leads to risk of threat Low (10) Medium (50) High (100)
analysis with division into particular vocational groups in the appearance
enterprise. Thus Parker in his method uses Courtney’s Low Medium High
High (1,0)
10*1,0=10 50*1,0=50 100*1,0=100
method, extending it on qualitative analysis of risk, also Low Medium Medium
formalizes impact of human factor on risk, what Medium (0,5)
10*0,5=5 50*0,5=25 100*0,5=50
distinguishes this method from the rest [6, s. 40]. Low (0,1)
Low Low Low
10*0,1=1 50*0,1=5 100*0,1=10
Source: [1, p. 115]
VI. QUALITATIVE METHODS OF IT RISK ANALYSIS
according to NIST methodology was presented in table
There exist many qualitative methods of risk analysis. III).
There will be discussed the following ones: FMEA/FMECA − Elaboration of recommendation for control and
methods and NIST 800-30 and CRAMM methodologies. protection mechanisms and other solutions having as its
FMEA (Failure Mode and Effects Analysis) and FMECA aim minimization of risk to acceptable level,
(Failure Mode and Effects Criticality Analysis) methods have
− Preparation of documentation of results of carried out
theirs beginning in 50s years of the last century, when they
evaluation of IT risk in the form of report for managerial
were elaborated for the purpose of reliability analysis of
staff.
weaponry and are used till now in e.g. aircraft industry, space
CRAMM methodology (CCTA’s Risk Analysis and
and electronic industry. The essence of FMEA/FMECA is
Management Methodology), accepted by CCTA (U.K.
analysis of impact of every potential defect on functionality
Government Central Computer and Telecommunications
of the whole system and order of potential defects according
Agency), as governmental standard of analysis and risk
to the level of its severity. FMECA method additionally
management. The process of risk management according to
introduces analysis of the degree of defect severity and
this methodology consists of three subsequent stages [6, s.
examines whether it has critical character for functionality of
44]:
the whole evaluated system. Those methods are quite
− identification and evaluation of resources,
laborious, require knowledge and experience of persons who
− evaluation of threats and susceptibility,
apply them, they are supported with specialist tools, using
− selection and recommendation of control and protection
elements of knowledge engineering and fuzzy logic [1, p.
mechanisms.
83].
IT risk analysis of which the main aim is determination of
The process of IT risk assessment according to NIST SP
probability of occurrence of incidents interfering correct
800-30 methodology is divided into 9 basis phases [6, p.
functionality of resources, where identified resources are
41-42]:
allotted to asset groups, for which there are generated lists of
− Selection of systems which are subject to evaluation,
main threats that could concern a given asset group, and there
− Definition of the scope of evaluation, collection of
is determined level of risk for each group (in five degree
needed information;
scale).
− Identification of threats of evaluated systems;
This methodology uses dedicated software, which is its
− Identification of susceptibility of evaluated systems; integral element supporting listed particular stages.
− Analysis of applied and planned mechanisms of control
and protections;
− Specification of probabilities of susceptibility usage by VII. CONCLUSION
identification of the source of threats (probability is
Although some presented in the article methods of
defined as: low, medium, high);
evaluation and assessment of IT risk require some refines, its
− Analysis and determination of incidents impact on
advantage is that they show direction of deliberations and
system, data and organization (impact defined in three
activities in discussed area. There exist many other methods
degree scale: high, medium, low)
of risk assessment and part of them is more advanced
− Determination of risk level with the help of matrix - Risk methods, which are derivatives from methods of risk
Level Matrix – for the whole risk for identified threats. assessment in finances. Benefits resulting from assessment of
This matrix is created by as a result of multiplication of risk are multidimensional, because they can help in keeping
probabilities of incidents occurrence (high probability balance between losses and costs of implemented
receives 1,0 weigh, medium – 0,5, and low – 0,1) and protections, they help in planning expenditures, indicate
strength if incident impact (high impact receives 100 legitimacy or lack of fundamentals to additional investment
weigh, medium – 50, and low – 10). On the basis of in Information Systems security, indicate new trends in the
matrix there is defined level of whole risk for every area of security. Practitioners claim that success in
identified threat, determined as high for product from assessment of losses is achieved by systematic and solid
range (50,100], medium for range (10,50] and low for approach to the issue e.g. by carrying out external audit.
product from range [1,10]. (The example of matrix However, nowadays in practice potential losses are assessed
rarely, on which have probably influence such factors as lack

ISBN: 978-988-98671-0-2 WCECS 2008

Proceedings of the World Congress on Engineering and Computer Science 2008
WCECS 2008, October 22 - 24, 2008, San Francisco, USA

of knowledge, lack of willingness and lack of requirements

from the side of managers of enterprises.

REFERENCES
[1] A. Bialas Security of information and services in modern institution
and company (In Polish), WNT, Warsaw 2006
[2] A. Galach Instruction of IT system security management (In Polish),
“Osrodek Doradztwa i Doskonalenia Kadr” Publishing House, Gdansk
2004
[3] B. Karabacak, I. Sogukpinar Information Security Risk Analysis
Method, “Computers&Security Magazine” no 24 March 2005
[4] M. Pankowska Multivariate of risk analysis for protection of
management IT systems (In Polish), [in:] Application of informatics in
accountability and finances, ed.: Kubiak B., Korowicki A., PTE,
Gdansk 2002
[5] M. Ryba Analysis and management of Information Systems risk (In
Polish), Ernst & Young 2005
http://www.mimuw.edu.pl/~sroka/archiwalne/2005ey/materialy/
[6] M. Ryba Multidimensional methodology of analysis and management
of IT systems risk – MIR-2M (In Polish), Doctoral thesis AGH, Cracow,
2006
[7] E. Schechter Computer Security Strength & Risk: A Quantitative
Approach. Harvard University, Cambridge, Massachusetts, USA 2004
[8] K.J. Soo Hoo How Much Is Enough? A Risk-Management Approach to
Computer Security. Doctoral thesis, Stanford University, 2000.
[9] G. Stoneburner, A. Goguen, A. Feringa Risk Management Guide for
Information Technology Systems Recommendations of the National
Institute of Standards and Technology, National Institute of Standards
and Technology 2002
[10] E.I. Szczepankiewicz, P. Szczepankiewicz Risk analysis in the IT
environment for the purpose of operational risk management. Part 2 –
Risk assessment stage (In Polish), „Monitor Rachunkowosci i
Finansow” Magazine no 7/2006
[11] Z. Szyjewski Methodologies of IT projects management (In Polish),
Placet, Warsaw 2004
[12] D. Wawrzyniak Models of IT risk assessment – classical approach and
possibilities of its development (In Polish), [in:] „Selected problems of
electronic economics” ed. M. Niedzwiedzinski, Marian
Niedzwiedzinski CONSULTING Publishing House, Lodz 2007

ISBN: 978-988-98671-0-2 WCECS 2008