There are three general approaches to risk analysis: qualitative, semi- or quasi-quantitative, and quantitative.
Qualitative approaches generally categorize elements of a risk analysis model (e.g., as low, medium, or high), and relationships between these elements are typically addressed by using various types of tables or matrices such as the one shown here.
Figure 7. Qualitative Risk Matrix
Semi- or quasi-quantitative approaches generally assign values to the categories for each element in the risk analysis, and simple computations—either additive or multiplicative—are made based on those numbers, as shown below.
Figure 8. Quasi-quantitative Risk Matrix
Quantitative methods, on the other hand, typically do not use categories and values for each element in the risk model as they are estimated or computed directly. For example, actuarial tables and other sources of data might provide values for the likelihood of a specific incident occurring (e.g., theft of a laptop) and the estimated value of the resulting loss (e.g., cost of a stolen laptop as well as an estimate for breach-related losses for a specific number and type of sensitive records).
With respect to questions of risk reduction that result from the implementation and maintenance of controls; however, few approaches are available despite the existence of various schema that describe how controls address threats and subsequently help manage risk (e.g., controls may be preventive, detective, or corrective68). The converse is also true, as control-based risk management frameworks generally do not address how their controls actually mitigate risk (or by how much). This is generally left to the user of the framework to determine.
Whether you call them risk assessment frameworks or risk management frameworks, what they purport to do is provide a means for organizations to manage risk better. … To a large degree, these frameworks do provide value in the sense that they provide structure and guidance that help organizations implicitly manage risk better. … Where these frameworks are less useful are in helping the practitioner determine the significance of deficiencies. … Most of these frameworks spend very little time on the question of risk measurement.69
As mentioned in the previous section, HITRUST takes an approach to general risk analysis and control specification that relies on the risk analysis performed by NIST to develop its control baselines70 for information with diverse types of sensitivity and criticality. By tailoring one of these NIST baselines through the integration and harmonization of multiple security and privacy standards, best practice frameworks and regulatory requirements, the HITRUST CSF serves as an industry-level enhanced overlay that—by integrating relevant inherent risk factors—provides a reasonable and appropriate specification of security controls that helps inform an organization’s risk target.
HITRUST also provides a catalogue of threats that are then mapped to HITRUST CSF controls based on their specification and underlying requirements, which illustrates how the controls are addressing risk.71
The HITRUST Assurance Program then provides a rigorous approach to assessing HITRUST CSF controls that helps organizations demonstrate an appropriate level of due care via an effective and efficient approach to providing assurances to internal and external stakeholders that is both repeatable and reproducible.
68 Richards, D., Oliphant, A., and Le Grand, C. (2005, Mar). Global Technology Audit Guide: Information Technology Controls (GTAG 1). Altamonte Springs, FL: The Institute of Internal Auditors, p. 3.
69 Freund, J. and Jones, J. (2015), pp. 356-357.
70 Joint Task Force, JTF (2020, Oct).
71 HITRUST (2023e). HITRUST Threat Catalogue.