One of the bullet buttons in the (ISC)2 Security Domain 1 (security and risk management) is risk analysis (yes, you with the beard on the back row, that would be under NIST 800-53r5 Security Domain 14). There are many ways to define it but I will be lazy and steal the defition of it from NIST 800-160 because it is short and to the point:
Risk Analysis is the process to comprehend the nature of risk and to determine the level of risk.
We can subdivide this analysis into two groups based on the criteria we use in the decision process: quantitative and qualitative analysis. Without going over the details, the bottom line is a lot of people ignore qualitative analysis because it does not directly tie into money: how can you ask for fundings to executives if you cannot provide a proper cost-benefit analysis? For instance, if you are asked to measure and tie to the yearly budget, say, your company reputation (a topic picked out of blue which has absolutely nothing to do with the title of this article), what would you do? After all, this is the typical topic qualitative risk analysis is built for.
The answer is we can quatify it if we look at it in a non-direct way. If you think about it, company reputation can be "itemized" by the things that affect it:
- Your cyber insurance, which is affected by how the insurers think you are about protecting your assets. So you can say "since we have not been breached in X years and we have great security policy which is enforced and audited, our insurance is lower than from our competitors." Can you see how close this narrative now is to that associated with the Annualized Loss Expectancy (ALE)? You may be able to ask the insurers to explain how a recent loss of personal data will affect the premium. There is no guarantees they will talk, but there is a compelling argument to work together to decrease their risk.
- Customer confidence, which is affected by how many data breaches you had, how you handled them, and how you deal with the customer's data. This can be estimated by investigating the decrease of sales of other companies due to loss of personal data including credit card info. People vote with their wallets, and their letters to elected officials.
- Your suppliers confidence on you, which leads to whether they will provide you with discounts, less interest, and longer times to pay your orders. If they do not trust you, they may say any bill is due on receipt. That affects cashflow in a very definite way.