GV.RM-06.026

Has your organization established formal criteria for when to use quantitative risk analysis methods, including defined probability and exposure formulas?

Explanation

Quantitative risk analysis assigns numerical values to both the probability of security incidents and their potential impact, enabling more objective decision-making for resource allocation. Organizations should have clear guidelines specifying when quantitative methods are appropriate (versus qualitative approaches) and document the specific mathematical formulas used to calculate risk scores, probability distributions, and financial exposure values. Evidence could include a documented risk assessment methodology that outlines quantitative thresholds, formulas for calculating Annual Loss Expectancy (ALE), Single Loss Expectancy (SLE), probability values, and examples of completed quantitative risk assessments that demonstrate the application of these formulas.

Implementation Example

Establish criteria for using a quantitative approach to cybersecurity risk analysis, and specify probability and exposure formulas

ID: GV.RM-06.026

Context

Function
GV: GOVERN
Category
GV.RM: Risk Management Strategy
Sub-Category
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron