What is the method of quantitative information security assessment?

The idea of quantitative information security risk assessment method is very clear: assign numerical or monetary amounts to all elements that constitute risks and the level of potential losses. When all the factors to measure risk (asset value, threat frequency, vulnerability utilization, efficiency and cost of security measures, etc. ) are assigned values, and the whole process and results of risk assessment can be quantified. Simply put, quantitative assessment is a method that attempts to analyze and evaluate security risks in a digital way.

First of all, there are several important concepts in quantitative risk assessment:

Exposure factor: the percentage or degree of loss caused by a specific threat to a specific asset. Single loss expectation: or SOC, that is, the total potential loss that may be caused by a specific threat. Annual occurrence rate: that is, the estimated frequency of threats within a year. Annual loss expectation (EAC) represents the expected loss of a specific asset within one year.

II. The relationship between the quantitative risk assessment process and concepts is as follows:

(1) First, identify assets and assign asset value (quantified amount) to assets;

(2) Assess the impact of specific threats on specific assets through threat and vulnerability assessment, that is, the exposure factor EF (the value is between 0%- 100%);

(3) Calculate the frequency of specific threats, namely the annual occurrence rate ARO；; ;

(4) Calculate the expected single loss of assets SLE:SLE = asset value × EF.

(5) Calculate the annual loss expectation of assets: ale = SLE× ARO.

We can see that for quantitative analysis, two indicators are the most critical, one is the possibility of an event and the other is the possible loss caused by a threatening event. Because the security risks can be accurately classified through quantitative evaluation, it is very easy to measure the rationality of security measures and calculate the ROI of security measures. For example, the building's ALE is 350,000, and now the building's ALE is 70,000 after taking countermeasures (installing monitoring fire detectors and buying enough fire extinguishers, costing 80,000), so the ROI is now 35-7-8 = 200,000. Through this calculation, we know that the investment in this safety measure is worthwhile.

Although security risks can be accurately classified through quantitative assessment, there is a premise that the data indicators available for reference are accurate. In fact, in today's increasingly complex and changeable information system, it is difficult to guarantee the reliability of the data on which quantitative evaluation is based. In addition, due to the lack of long-term data statistics, the calculation process is prone to errors, which brings great difficulties to the refinement of assessment. Therefore, there are few quantitative assessment methods used in information security risk assessment at present.