Home » Security Bloggers Network » How to prioritize security investment through risk quantification

How to prioritize security investment through risk quantification

Think of a circus juggler balancing dishes, bowls, and other flat objects on sticks. He needs to pay constant attention so as not to let them fall, rotating them at sufficient speed and at the right time.

This situation is similar to managing investments in security, where the juggler is the organization, the rotating objects are the risks, and the action of rotating them refers to the resources invested.

By understanding the rotating dishes situation, the equivalent of analyzing the risks, the juggler can decide on the order in which he needs to work on them, and the necessary speed to apply to each one of them, so none of them fall (i.e., the risks do not occur).

In this article, we will use the juggler analogy, and how he keeps the objects rotating, to explain how to prioritize risks through risk quantification.

Benefits of security investment prioritization

This first analogy leads us to some of the benefits of security investment prioritization:

– more efficient allocation of people, processes, and budget: prioritization helps organizations to invest only the needed resources required to handle risks – no more, no less.

– increased focus around the risks that matter most: prioritization gives employees guidance on what the organization sees as important.

– increased success rate: with risks treated according to their criticality, the chance of their occurrence is lessened, as well as their chance of negatively impacting the organization’s objectives and expected outcomes.

Why quantifying risk is important

First, it is important to note that risk value can be expressed in qualitative or quantitative form.

In the qualitative form, risks are valued based on the perceptions of those analyzing them, and perceptions can be biased, which makes it difficult to use them outside the context in which they were analyzed.

(Read more...)