Different methods that are employed to perform cybersecurity risk assessment can be classified into quantitative and qualitative methods. qualitative methods access impacts based on the severity levels and doesn't use any mathematical functions or cost base analysis. since there are different risk assessment methods available, is there a base standard by which a risk assessment method could be validated? Thanks in advance for your answers.
I suggest that you look at the US NIST standard for cybersecurity risk assessments.
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
TLDR;
For quantitative risk assessment, several techniques could be used including (Data Gathering, Representation, Risk Analysis, Modeling and Simulation).
Detailed Answer:
1- Data Gathering
By interviewing a Subject Matter Expert and getting his judgement based on a previous experience or lessons-learned from an earlier incident, you could get a quantified value of the risk, especially if it was clearly captured in a log when closed.
2- Representation
By identifying the probability distribution function (pdf) of the risk, you could exactly quantify the its probability, provided that the values of the concerned variables are set.
3- Risk Analysis
By sketching a a Tornado diagram as part of a Sensitivity Analysis exercise. Such diagram depicts possible benefits versus negative impact for each risk.
By calculating the Expected Monetary Value (EMV) that is the product of the Probability (P) of risk by its monetary Impact (I). EMV= Sum (P x I).
4- Modeling and simulation
By conducting a Monte Carlo simulation where the risk model is computed several times with different input values chosen randomly from the pdf of these variables, and the result is plot in a histogram based on these iterations.
I believe you are looking at a standard / benchmark to assess the effectiveness of a cyber-security risk assessment methodology. Unfortunately, the available standards like NIST SP 800-30, ISO 27005 etc. only provide guidance on conducting cyber-security risk assessments. They do not provide any such benchmark. This is owing to the fact that irrespective of the type of methodology (quantitative or qualitative), the interpretation of risk value and its acceptability (or converse) varies between organization domains, specific organizations, specific situations, experts etc. In fact, this very interpretation is guided by the context of the risk assessment (defined during context establishment). Hence, it is very difficult (if not impossible) to devise a universal benchmark that can be used to judge the effectiveness of a cyber-security risk assessment methodology.
- Badges
- Science topic
- Similar topics
- Computer Science
- Research Topics