An information security manager is preparing a risk assessment for a newly launched product that has no internal incident history, no comparable industry loss data and a fast-changing threat landscape. The board wants a defensible prioritisation of risks within two weeks. Which analysis approach should the manager adopt first, and why?
- AA quantitative analysis, because expressing every risk in annual loss expectancy gives the board the precise monetary ranking it expects.
- BA quantitative Monte Carlo simulation, because modelling thousands of loss iterations compensates for the absence of historical data.
- CA qualitative analysis, because expert-judgement ratings of likelihood and impact can prioritise risks quickly when reliable loss frequency data is unavailable. Correct
- DA deferral of any analysis, because no prioritisation can be defended until at least twelve months of incident data has accumulated.
Why A is wrong: This is tempting because monetary figures look authoritative, but without occurrence and loss data the annual loss expectancy values would rest on guessed inputs, producing false precision rather than a defensible ranking.
Why B is wrong: Monte Carlo simulation still needs credible input distributions drawn from data or calibrated estimates; running it on unfounded assumptions multiplies uncertainty rather than removing it, and it is unlikely to be defensible in two weeks.
Why C is correct: With no historical or industry frequency data and a short deadline, qualitative analysis lets subject-matter experts rank scenarios using structured likelihood and impact scales, which is the appropriate first step when the inputs for credible quantification do not yet exist.
Why D is wrong: Waiting for data leaves the new product unmanaged during its most exposed period; the manager can and should prioritise risks now using qualitative methods rather than declining to assess at all.