Sensitive information Risk, how to quantify
A financial risk analysis helps business decision makers to make the right choice for information security solutions based on internal risks, industry data, cost of the solution and return on the investment (ROI). This framework is used to evaluate current and future risks to loss of sensitive information in an organization. The risk assessment framework should be used to determine the legal, financial and business risk exposure of an organization regarding their handling of digitized sensitive data. The assessment would measure the legal liability, potential financial losses against the cost of implementing controls. A proper financial risk assessment would give ROI and NPV predictions based on actual findings, trends, projected success rate of the controls and mitigations. This is achieved by using Monte Carlo simulations based on internal and external data sets. ROI will be based on Annualized Loss Expectancy (ALE) with current controls and ALE with new controls with the costs associated with the new controls.

Risk is inherent in any business undertaking. Businesses continuously manage risk at all levels of the organization. How the risk is managed differs from company to company, and is often based on organizational culture, the maturity of the organization, and how regulated the industry is. Financial risk analysis is the norm for any larger company irrespective of the industry they operate in. Their IT organizations on the other hand are more often than not fully utilizing the potential of using a financial risk analysis approach to IT risk management. Risk is often determined by experts in IT security based on their domain knowledge. However, many IT security experts are not fully looking at the business impact when they make their determination of what risks to accept, reduce, or transfer.