IT Examiner School eBook May 2025

Qualitative and Quantitative Explained

Qualitative Analysis: Focuses on subjective assessment of risk levels. Uses categories like High, Medium, Low. Easier to implement, good for quick evaluations. Common Exercises: • Risk Assessment Workshops • Scenario Analysis • Expert Judgment Evaluations

Quantitative Analysis: Focuses on numerical assessment of risk. Uses data, metrics, and financial impact estimates. Provides detailed cost-benefit analysis for decision-making. Common Exercises: • Single Loss Expectancy (SLE) • Annual Loss Expectancy (ALE) • Cost-Benefit Analysis

When to Use Each: Qualitative : Early-stage analysis or when data is limited. Quantitative : For in-depth analysis and budget justification.

Step 4 – Risk Response and Mitigation Objective: Determine how the organization addresses identified risks—whether by accepting, transferring, reducing, or avoiding them. • Examiner Validation: • Request risk response plans and incident response documentation. • Verify the implementation of controls (e.g., encryption, firewalls, MFA). • Confirm that risk acceptance decisions are documented and approved by management. • Additional Checks: Accept Transfer

Accept: Acknowledge the risk without further mitigation, typically when the cost to address it is greater than the potential impact . •Example: A company stores low-sensitivity public information on a web server. Although there is a minor risk of exposure, the potential impact is minimal, so the organization chooses to accept the risk. Transfer: Shift the financial impact of the risk to a third party, such as through insurance or contractual agreements. •Example: An organization purchases cyber insurance to cover potential financial losses from data breaches, effectively transferring the risk to the insurance provider. Reduce: Implement security measures to minimize the impact or likelihood of a risk. •Example: A company introduces Multi-Factor Authentication (MFA) and encryption for remote access to reduce the risk of unauthorized access to its systems. Avoid: Eliminate the risk entirely by stopping the activity or changing business practices. •Example: After identifying high risk in using outdated legacy software, the company decides to decommission the system and migrate to a cloud-based solution to avoid vulnerabilities.

Reduce

• Review the CISO's Annual Report to the Board for documented risk acceptance decisions and their justifications. • Ensure risk mitigation measures are reflected in policies and procedures , and that they align with the Risk Assessment (RA).

Avoid