Securing executive buy-in: Using quantitative risk information for evidence-based corporate security management

It is well documented that security managers often lack influence over budgets or with senior executives. So, how can they tip these scales? Matthieu Petrigh, Senior Security Consultant at Buro Happold, explains how professionals can better quantify security risk to secure buy-in from the c-suite.

Matthieu Petrigh, Senior Security Consultant at Buro Happold

A recent research paper conducted by the Security Research Initiative (SRI) demonstrated that, all too often, security managers lack influence over the security budget.

The findings further suggest, among other things, that security professionals should also be linking physical security spend to cyber security in order to facilitate senior executives’ buy-in.

In response to these findings, this article will explore the idea of using quantitative risk information to influence decisions.

We firstly consider various ways of assessing physical and cyber security risk information sources, and then introduce an approach to adopting security risk quantification as a way to improve risk analysis, risk communication and senior executives’ buy-in.

Ultimately, this article should inform security professionals and assist them in getting the security budget they perhaps deserve.

The importance of recognising the different types of risk information

Risk information is a type of information that allows us to influence a decision.

According to the corporate culture of any given organisation, certain types of information will be recognised and accepted as legitimate risk information.

Other sources and types of information will be, on the other hand, disregarded.

This happens for many reasons – one of those being that security is sometimes claimed to be, or believed to be, unquantifiable, or that qualitative information is discounted by senior executives because of its subjective nature (i.e. representing a view or an opinion rather than a fact).

However, the mere idea of disregarding potential risk information, even if that information is of qualitative nature, can cause organisations to overlook valuable information when conducting security risk assessments.

Therefore, to reduce biases, it makes sense to consider both qualitative and quantitative information when progressing a risk assessment.

A balanced security risk assessment

A balanced security risk assessment is an exercise that includes both qualitative and quantitative information that relates to physical and cyber security, and that allows us to better understand the risks we are facing.

For this purpose, information can be classified as qualitative or quantitative, and thus be subjective or objective.

Qualitative information helps us to describe a security risk or a problem with words. Quantitative information is about risks and things that can be measured in quantities (i.e. duration, cost, frequency of occurrence) and in numbers.

Subjective information is a matter of personal opinion or judgment, whilst objective information is something that is verifiable and a fact.

The table presented below and adapted from the work produced by the UK National Cyber Security Centre outlines various information types that can be, and should be, considered during a balanced security risk assessment.

The value of considering different methods

Methods that come to be used during a security risk assessment have implications for the way in which problems are conceptualised and for the type of explanations employed.

Likewise, certain security problems and theories have implications for the kind of methods that are used.

Some methods of risk assessment are more useful for the investigation and understanding of certain security problems than others.

The table above does not suggest that information from any of the four quadrants is more appropriate than any other types when progressing a security risk assessment. What it does, however, is enable security professionals to quickly visualise the types of risk information they have already considered, and the kind of information that has been omitted in their assessment.

It is true that qualitative methods are less resource-intensive than quantitative assessments can be, and that qualitative assessments are cheaper and faster to conduct than quantitative ones. For these reasons, security professionals tend to prefer using qualitative methods when conducting their security assessments.

However, it is essential for security professionals to be able to talk ‘numbers’ and ‘quantities’, because justifiably, ‘numbers’ and ‘quantities’ are what senior executives best understand.

Security risk quantification

Quantification is the process of measuring the quantity of something. Applied to the security risks, it is a set of methods used to determine, with a certain degree of accuracy, the extent to which security, vulnerabilities and threats are.

Image credit: PantherMedia/AlamyStock

As we have seen, quantitative risk information can be objective or subjective. To make their business case compelling and secure budget, security professionals should thus consider the two quadrants concerned with quantitative risk information (right column of the table), and give them more weight.

Quantities and numbers are two different things, and so it is important for security professionals to understand that ordinal numbers (i.e. 1st, 2nd, 3rd) or labels (low, medium, high) do not measure the quantity of something, they merely represent the position of a thing when compared to another thing.

For this reason, it is important to remember that quantities shall be expressed in terms of:

• The frequency of something happening, for example a security incident happening once a week, a month, or a year;
• The period of time of something happening, for example the downtime of a CCTV camera or any other security system and expressed in hours;
• The cost of deployment, remediation or repair of something that is damaged, lost, broken, and expressed as a monetary value for impact (i.e. the repair of the CCTV system will cost X, the financial impact of the loss of data is Y).

Quantifying risks: Three key advantages

From a security professional’s perspective then, quantifying security risks has three main advantages:

1. It allows risks to be expressed in ways that are easily understandable by business people (senior executives).
2. Quantification makes it easier to perform cost benefit analysis, and thus facilitates the prioritisation of risk treatments.
3. Quantifying security risks allows security professionals to understand the degree of certainty their security systems and operations have, and thus enable them to make informed predictions.

About the author

Matthieu Petrigh is a Senior Security Consultant at Buro Happold, the global engineering design and advisory practice headquartered in the UK and operating across North America, Europe, the Middle East, and Asia.

Matthieu is a member of the Security Institute (MSyI), and of the Chartered Institute for IT (MBCS). He is a SABRE Assessor, and is certified in Cybersecurity (CC), Information Security Management (CISMP), and Information Risk Management (PCIRM). He is also certified Port Facility Security Officer (PFSO) and a licensed Close Protection Officer (CPO).

Matthieu holds a BSc in Security and Risk Management and is currently progressing a MRes in Security Risk Management.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today