Quasi-quantitative approaches can help, but often do not relay risk in terms the business understands. “What is the real difference between a risk scored at ‘3.2’ versus a ‘3.5’?” “If we invest $1M in security to reduce my risk from a ‘3.5’ to a ‘3.2’, do we get a reasonable risk reduction for our investment?”
Quantitative approaches can certainly help address these questions; however, they typically require a significant amount of expertise, information, time, and expense, one or more of which are often in short supply for many organizations. As a result, they are often limited to addressing risk questions of limited scope and seldom useful for questions around how well the organization is managing risk more broadly.
While HITRUST has begun work on tying threats to HITRUST CSF controls,72 HITRUST guidance on risk analysis73 did not support a quantitative approach to the various analyses an organization should conduct to manage its information risk efficiently and effectively (e.g., corrective action planning/prioritization, risk acceptance, and analyses of alternate controls). Instead, HITRUST provided a mixed quasi-quantitative approach based on control maturity and non-contextual impact ratings74,75 to estimate the additional risk incurred when control requirements are not fully implemented (mature), an approach we still use today in a handful of charts and reports to communicate excessive residual risk.
In this approach, impact is categorized or rated as Very Low, Low, Moderate, High, or Very High, and then coded from one (1) through five (5). To compute risk, impact ratings (codes) may be assigned specific values such as those prescribed by NIST: Very Low (1) = 0, Low (2) = 2, Moderate (3) = 5, High (4) = 8, and Very High (5) = 10.76
Table 2. Impact Codes (IC)
| Ctrl | Code | Ctrl | Code | Ctrl | Code | Ctrl | Code | Ctrl | Code | Ctrl | Code | Ctrl | Code | Ctrl | Code | Ctrl | Code |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0.a | 3 | 01.o | 3 | 02.e | 5 | 05.e | 3 | 06.i | 4 | 08.i | 4 | 09.k | 3 | 09.z | 5 | 10.i | 4 |
| 01.a | 5 | 01.p | 3 | 02.f | 5 | 05.f | 4 | 06.j | 3 | 08.j | 4 | 09.l | 3 | 09.aa | 3 | 10.j | 4 |
| 01.b | 5 | 01.q | 5 | 02.g | 5 | 05.g | 4 | 07.a | 4 | 08.k | 5 | 09.m | 4 | 09.ab | 3 | 10.k | 4 |
| 01.c | 5 | 01.r | 4 | 02.h | 5 | 05.h | 5 | 07.b | 3 | 08.l | 5 | 09.n | 4 | 09.ac | 3 | 10.l | 3 |
| 01.d | 5 | 01.s | 4 | 02.i | 5 | 05.i | 4 | 07.c | 5 | 08.m | 5 | 09.o | 3 | 09.ad | 3 | 10.m | 3 |
| 01.e | 5 | 01.t | 3 | 03.a | 3 | 05.j | 5 | 07.d | 4 | 09.a | 5 | 09.p | 5 | 09.ae | 3 | 11.a | 3 |
| 01.f | 5 | 01.u | 3 | 03.b | 3 | 05.k | 5 | 07.e | 5 | 09.b | 4 | 09.q | 4 | 09.af | 3 | 11.b | 4 |
| 01.g | 4 | 01.v | 3 | 03.c | 3 | 06.a | 4 | 08.a | 5 | 09.c | 5 | 09.r | 4 | 10.a | 4 | 11.c | 3 |
| 01.h | 3 | 01.w | 3 | 03.d | 3 | 06.b | 4 | 08.b | 5 | 09.d | 4 | 09.s | 5 | 10.b | 4 | 11.d | 3 |
| 01.i | 4 | 01.x | 5 | 04.a | 3 | 06.c | 3 | 08.c | 5 | 09.e | 4 | 09.t | 3 | 10.c | 4 | 11.e | 3 |
| 01.j | 5 | 01.y | 5 | 04.b | 3 | 06.d | 3 | 08.d | 4 | 09.f | 4 | 09.u | 3 | 10.d | 3 | 12.a | 3 |
| 01.k | 4 | 02.a | 4 | 05.a | 4 | 06.e | 5 | 08.e | 5 | 09.g | 4 | 09.v | 4 | 10.e | 4 | 12.b | 3 |
| 01.l | 4 | 02.b | 5 | 05.b | 5 | 06.f | 4 | 08.f | 4 | 09.h | 3 | 09.w | 4 | 10.f | 3 | 12.c | 3 |
| 01.m | 3 | 02.c | 5 | 05.c | 3 | 06.g | 4 | 08.g | 4 | 09.i | 4 | 09.x | 4 | 10.g | 3 | 12.d | 3 |
| 01.n | 4 | 02.d | 4 | 05.d | 3 | 06.h | 4 | 08.h | 3 | 09.j | 4 | 09.y | 4 | 10.h | 4 | 12.e | 3 |
Using a similar approach, HITRUST computes impact (I) as a function of the impact code (IC) such that I = (IC – 1) × (25), which equates to Very Low (1) = 0, Low (2) = 25, Moderate (3) = 50, High (4) = 75, and Very High (5) = 100. When converted to a 10-point scale and rounded up, the values are identical to the NIST model.
Risk, R, is then computed as a function of Impact and Likelihood, L, such that R = L x I = [(100 – MS) / 100] x [(IC – 1) × 25], where MS is the HITRUST control maturity score determined during assessment. The table below provides ranges for a traditional risk model such as the one articulated by NIST as well as an ‘academic’ risk model.
Table 3. Risk Scales
| Risk Level | Range (Traditional Model) | Range (Academic Model) |
|---|---|---|
| Very High (Severe) | 96-100 | 41-100 (F) |
| High | 80-95 | 31-40 (D) |
| Moderate | 21-79 | 21-30 (C) |
| Low | 5-20 | 11-20 (B) |
| Very Low (Minimal) | 0-4 | 0-10 (A) |
Although the traditional model may be best used for communicating risk to external stakeholders, the academic model provides a very intuitive approach to understanding risk when presented as risk grades, which is similar to the approach previously used by the federal government to report security compliance for federal agencies.
However, while useful, this code-based approach obviously does not provide the same level of accuracy and precision as a more quantitative analysis nor present the resulting risk or expected loss estimates in monetary terms, which is arguably the ‘preferred language’ of corporate boards. Although we intend to address this in the future, HITRUST also does not currently map enumerated threats to specific requirements in each HITRUST CSF control, nor does it specify how these requirements interact with specific threats to help organizations understand how their controls are addressing information risk.
And, while the FAIR Institute provides a detailed quantitative approach to risk analysis that addresses expected loss monetarily, the approach often requires a significant amount of customization that is only suitable to very targeted types of risk analyses. Unlike the more qualitative HITRUST approach, the FAIR approach does not lend itself to broader analyses of risk based on the state of an organization’s implemented controls. However, it does address how controls interact with threats to mitigate risk at a high level.
The MITRE corporation provides two threat-based models that could support risk analysis: ATT&CK and D3FEND. The ATT&CK framework provides a knowledge base of threat actor tactics and techniques that can be used as a foundation for threat models while the D3FEND framework enumerates various controls and how they might address specific threats. However, the MITRE frameworks are extremely granular and subsequently limited to supporting specific, targeted types of risk analyses. Such analyses are also generally limited to logical cyber-based threats.
72 Ibid.
73 Cline, B. (2018, Feb).
74 Based on impact codes previously used by the U.S. Department of Defense (DoD). See Department of the Navy (2008, Jul 15). DoD Information Assurance Certification and Accreditation Process (DIACAP) Handbook, Version 1.0. Washington, D.C.: Author.
75 The ratings are categorized as non-contextual in that they assume the probable impact should the control fail, assuming all other controls are in place.
76 JTF TI (2012, Sep).