Has your organization established formal criteria for when to use quantitative risk analysis methods, including defined probability and exposure formulas?
Explanation
Quantitative risk analysis assigns numerical values to both the probability of security incidents and their potential impact, enabling more objective decision-making for resource allocation.
Organizations should have clear guidelines specifying when quantitative methods are appropriate (versus qualitative approaches) and document the specific mathematical formulas used to calculate risk scores, probability distributions, and financial exposure values.
Evidence could include a documented risk assessment methodology that outlines quantitative thresholds, formulas for calculating Annual Loss Expectancy (ALE), Single Loss Expectancy (SLE), probability values, and examples of completed quantitative risk assessments that demonstrate the application of these formulas.
Implementation Example
Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas
ID: GV.RM-06.026
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

