Problems with the quantitative approach

There are some significant weaknesses inherent in this approach that are not easily overcome.

First, there is no formal and rigorous way to effectively calculate values for assets and controls. In other words, while it may appear to give more detail, the financial values actually obscure the fact that the numbers are based on estimates. An example of could be the precise and accurate calculation the impact that a highly public security incident might have on the organisational brand. If it is available then historical data can be examined but more often than not it is not.

Second, organizations that have tried to meticulously apply all aspects of quantitative risk management have found the process to be extremely costly. Such projects usually take a very long time to complete their first full cycle, and they usually involve a lot of staff members arguing over the details of how specific fiscal values were calculated.

Third, for organizations with high value assets, the cost of exposure may be so high that the organisation would spend an exceedingly large amount of money to mitigate any risks to which they were exposed. This is not realistic as an organization would not spend its entire budget to protect a single asset, or even its top five assets.

An Introduction To Information, Network and Internet Security
Problems with the quantitative approach There are some significant weaknesses inherent in this approach that are not easily overcome. First, there is no formal and rigorous way to effectively calculate values for assets and controls. In other words, while it may appear to give more detail, the financial values actually obscure the fact that the numbers are based on estimates. An example of could be the precise and accurate calculation the impact that a highly public security incident might have on the organisational brand. If it is available then historical data can be examined but more often than not it is not. Second, organizations that have tried to meticulously apply all aspects of quantitative risk management have found the process to be extremely costly. Such projects usually take a very long time to complete their first full cycle, and they usually involve a lot of staff members arguing over the details of how specific fiscal values were calculated. Third, for organizations with high value assets, the cost of exposure may be so high that the organisation would spend an exceedingly large amount of money to mitigate any risks to which they were exposed. This is not realistic as an organization would not spend its entire budget to protect a single asset, or even its top five assets.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security