Risk Analysis (Quantitative & Qualitative)

Quantitative Risk Analysis

Is a way of evaluating vague threats by using numbers, math, probabilities, and money. The building blocks of QRA are the formulas: SLE, ARO, ALE, and EMV.

Qualitative Risk Analysis

Is a method that evaluates risks using descriptive categories like Low, Medium, High, and Critical based on likelihood and impact. Security teams often use a "Risk Matrix," which is a grid that plots how likely a risk is to happen against how bad the impact would be, using colors.

SLE

Single Loss Expectancy; A formula that asks how much do we lose if this happens once?

ARO

Annualized Rate of Occurrence; A formula that asks how often does this happen per year?

ALE

Annualized Loss Expectancy; A formula that asks how much money do we lose per year? Its calculated by multiplying SLE by ARO.

EMV

Expected Monetary Value; A formula that is used when there are multiple possible outcomes. It is calculated by multiplying Probability by Impact.

Risk Matrix

In a 3x3 risk matrix, risks are assessed by crossing Likelihood (Low, Medium, High) with Impact (Low, Medium, High) to determine a priority level. A Low Likelihood event results in a Low risk rating if the Impact is Low or Medium, and a Medium risk rating if the Impact is High. A Medium Likelihood event is rated as a Low risk for Low Impact, Medium risk for Medium Impact, and High risk for High Impact. Finally, a High Likelihood event results in a Medium risk rating for Low Impact, a High risk rating for Medium Impact, and an Extreme risk rating for High Impact.

Defining Likelihood

Low → if it is Rare to happen, Medium → if it is Possible to happen, High → if it Happens often.

Defining Impact

Low → if Minor inconvenience, Medium → if Noticeable damage, High → if Serious financial/reputation damage.

Monte Carlo Simulation

A powerful math tool used to measure risk that models thousands of random scenarios to produce probability distributions showing best-case, worst-case, and typical outcomes.

The Delphi Technique

Is a highly organized way for a group of experts to communicate, share their opinions, and come to an agreement on predicting future events or understanding complex risks.

Why do IoT systems need quantitative analysis?

IoT systems use thousands or even millions of connected devices, which makes them incredibly large and complicated. Just using descriptive words is impractical, so you need hard numbers to provide a solid foundation to protect everything from a single smart device to a massive, company-wide network.

BYOD

Bring Your Own Device; is a rule or situation where a company lets its workers use their own personal phones, tablets, or computers for their jobs. This practice mixes up a person's private data and the company's work data on the exact same device. It creates a tough balancing act for security teams.

Hybrid Risk Analysis

This mixes two ways of looking at danger. First, it uses a qualitative approach (using descriptive words to quickly find and rank a wide variety of risks), and then it uses a quantitative approach.