QQRRA is a novel approach to the quasi-quantitative analysis of residual risk that will help address many of the limitations in our current approach. More specifically, the QQRRA approach will:
- Support more granular quasi-quantitative risk analyses than the previous approach
- Support both simple types of analyses (single threat with multiple controls or single control with multiple threats) as well as more complex analyses (multiple threats and multiple controls)
- Integrate all controls and all levels of control implementation maturity across the risk model
- Provide value even when limited threat-related information is available
- Provide input into more rigorous quantitative risk analyses if needed
We accomplish this by leveraging (1) HITRUST’s approach to control framework-based risk analysis in the specification and tailoring of HITRUST CSF controls that inform an organization’s risk target, (2) the HITRUST Assurance Program as the basis for controls gap assessment and reporting of an organization’s current state of protection, and (3) risk concepts that are well understood by industry to decompose risk and support a more granular quasi-quantitative risk computation model to help quantify risk reduction in monetary terms. This new integrated approach is easier to use than current approaches to quantitative analyses while providing more realistic estimates of risk than existing qualitative or quasi-quantitative approaches.
Risk Ontology
The HITRUST QQRRA risk ontology is based on (1) the standard decomposition of risk into likelihood (probability) and impact, which are in turn decomposed along the lines of the threat statement, “A threat actor initiates a threat by exploiting a vulnerability that results in a risk to an asset of a potential loss,” and (2) a decomposition of control function based on the NIST Cybersecurity Framework Core Functions: Identify, Protect, Detect, Respond, and Recover.
Figure 9. QQRRA Risk Ontology
Computation Model
The computational model leverages the concept of annualized loss expectancy, ALE, to create a model that also addresses the effect of threat actor motivation, M, and capability, C, on the annual rate of occurrence, ARO, as shown in the following figure.
Figure 10. Attenuating ARO with Motivation and Capability in the ALE Model
This general model is then used to build out more detailed computational models for losses directly attributable to a primary threat event and those that are indirectly attributable, i.e., where the probability of occurrence of a secondary event is generally conditioned on a response by a secondary ‘threat actor’ such as a customer, business partner, or regulator.77
77 For more detailed information on the QQRRA model, including a detailed discussion of direct and indirect risk computational models and an example based on the threat posed by ransomware, refer to Cline, B. (2022). HITRUST Approach to Quasi-Quantitative Residual Risk Analysis (QQRRA): Quantifying Risk in a Qualitative World. Frisco, TX: HITRUST.