Measuring Risk Using Existing Frameworks

his article focuses on risks to information technology (IT) systems. Technically speaking, risk to an IT system is a function of the likelihood that some threat will attack, or exploit, some vulnerability in the system and a calculation of the potential impact resulting from these attacks or exploitations. Two ways exist to calculate risk to an IT system: quantitatively and qualitatively. Each approach has its strengths and weaknesses. Quantitative risk assessment attempts to calculate some “regret for loss,” as Case and Smith describe it. This is usually expressed in monetary terms. On the other hand, a qualitative risk assessment expresses risk in abstract terms such as high, medium, or low. Calculating risk, however, is not the same as measuring risk, nor is it the same as creating risk metrics. Calculating risk is about a single issue, or a single threat and vulnerability pairing. Measuring risk — or risk metrics — is about monitoring risk over time.