Quantitative risk assessment begins when we have the ability to apply a dollar amount to a specific risk. If the project was to be finished a month early there would not be a risk because the company would save money, however at what cost? Projects that are done early usually go wrong. If the project is completed on time but not with the required security measures the company would not be in compliance with PCI DSS. By completing the project a month early using the mandatory security requirements there is no risk.
Qualitative risk assessment comes into play in a different form. There are additional factors and threat vectors into our contract. We now find out that the database that once held only 1,000 records is now going to hold a range of 100,000 records to 1,000,000 records, as well as the new knowledge that multiple groups within the organization will be accessing and modifying the database daily. We have also been informed that we have ninety days to document and remediate this issue as the system is not in compliance with the Health Insurance Portability and Accountability Act (HIPAA).
We must now see the inherent vulnerabilities that exist on the system or application. One of which is that the application is vulnerable to a SQL Injection; this is the method in which a malicious user will attempt to append additional data into an SQL statement in the hopes of gaining access to in which they do not have permission to access.
The quantitative value on this project is $$30 million; given that there may be up to one million records stored on the database; 1,000,000 records X $30 per record = $30 million. This brings us back to our qualitative risk rating.
Reputation risk is the impact on earnings and investor or consumer confidence as a result of negative publicity to the business. In our situation, the most likely cause is an unauthorized disclosure of customer data due to system or network compromise. The negative impact of such an event could easily surpass the monetary loss associated with our quantitative risk assessment.
At this point we have introduced a myriad of elements into our risk assessment. Given the simplicity of our outsider threat vector through SQL Injection, the fact that this form of attack is not often detected by system logs and Intrusion Detection tools, the reputation risk associated with going public with 500K compromised records and the probability that this attack vector is likely to be repeated once discovered, we can easily assign a qualitative risk level of "High." We now have a quantitative risk assessment value of $15 million and a qualitative risk level of "High."
We calculate the Single Loss Expectancy (SLE) by taking the value of an asset which would be a single record at $30, then take the Exposure Factor, which is 1,000,000 records, and multiply the Asset