Risk assessments are often conducted to evaluate the risk to which a company is exposed when a security gap or vulnerability of an information system or an application cannot be mitigated. Unfortunately, there is no consistent methodology within risk assessments to precisely define vulnerabilities and hence quantify the risk. Likewise, there are insufficient actuarial statistics to determine the likelihood of exploitation of a vulnerability. Traditionally, in an ethical hacking or penetration testing process, probabilities or risks associated with each issue are labeled high, medium, or low. In attempting to assess the exposure to risk, for example, from a security gap of an information technology system, these high, medium, and low risk labels have been applied to risks in a qualitative approach. Many vulnerability alerting programs also use this qualitative or a simplified quantitative-range approach.
A problem with that approach is that it is extremely difficult to compare a high, medium, or low risk for one particular area with a high, medium or low risk in another area. It is not clear whether ethical hacking vendors or individual security professionals use the same criteria to determine risk. As a result, businesses are required to determine, for example, what is actually a high, medium, or low risk issue to the particular business and to resolve those issues. Further, no vendor or risk assessment mechanism has addressed risk aggregation. For example, the aggregation of a number of low risk issues may become a medium or high risk issue to the system as a whole and may therefore deserve greater attention.
Risk can be assessed in qualitative or quantitative terms, or in one dimensional or multidimensional terms, or in some combination of those terms. Quantitative approaches are often associated with measuring risk in terms of dollar losses, and qualitative approaches are often associated with measuring risk in terms of quality as indicated through a scale or ranking. One-dimensional approaches consider only limited components, such as risk equals magnitude of loss times frequency of loss. Multidimensional approaches consider additional components in the risk measurement such as reliability, safety, or performance.
A goal of risk assessment has always been to try to arrive at a quantitative number around risks. In many different industries, this is possible through the use of actuarial information. In the insurance business, for example, it can be determined on an actuarial basis how many houses are burnt down per year within a given number of houses, and the risks involved can be viewed around that actuarial determination. However, within the information technology security world, this kind of information is not available, for example, because companies simply do not publish such information. Another reason for its unavailability is that the area of information technology is evolving rapidly, and the types of threats and vulnerabilities that information technology security people face are always changing and new ones being discovered.
The earliest proposal for a quantitative approach for assessing computer-related risk was based on a metric: Annual Loss Expectancy (ALE).ALE=ΣI(Oi)Fi,Where:                Oi=Harmful Outcome I;        I(Oi)=Impact of Outcome i in Dollars; and        Fi=Frequency of Outcome i.A consensus framework for computer risk management also emerged for adaptation to qualitative or quantitative risk assessment. Similar to other quantitative risk assessment approaches, the common framework required an assessment of security requirements, assets for consideration, security concerns, possible threats, vulnerabilities, and safeguards. The common framework and other ALE-based approaches created an assessment task of infeasible proportions. As a result, such approaches failed to gain widespread acceptance. Subsequently, in order to address issues of ALE-based approaches, a decision analytic framework was proposed to manage risk based on the risk management decision that incorporates probability theory to capture, clarify and convey uncertainly. However, a systematic collection of supporting data was still required to improve the risk model.        
One attempt to address a quantitative assessment of information technology security risks involved, for example, putting systems on the Internet and determining the amount of time it takes for the systems to be compromised and how they are broken into. By putting different systems on the Internet, one can measure how each system is compromised by the amount of time. From that, one should be able to derive some likelihood for compromise of similar systems being placed on the Internet. A limitation of that approach is that it is valid only for Internet-type threats and does not take into account internal users of, or physical access to, information technology systems and the like. Further, it shows only the likelihood of one possible vulnerability that has been exploited by someone on the Internet, and it does not relate to any other vulnerabilities of the information technology system. Such an approach gives a high water mark vulnerability but reveals nothing about any other vulnerabilities, so it cannot be determined if there is any change through time. Additionally, the particular approach gives no indication of what would happen if the single vulnerability issue were mitigated.
Another approach, known as a vulnerability tree, attempts to look, for example, at all the possible coding errors within an information technology system and whether they could actually result in the exploitation of a vulnerability. This is an extremely tedious process that takes an extraordinary amount of time and is valid for only a single operating system at a time. It becomes invalid with any small changes, so it is not cost effective to use in a complex environment. Further, the process would likely take many years to complete. Such a process can be characterized as a heuristic approach and is a very high order approach that is impractical in a business environment.
Others have tried to approach assessment of information technology security risks from an historical perspective. In that approach, people are encouraged to document any hacks or compromises that they have previously experienced in order to attempt to derive statistics from such experiences. A problem with that approach is that the environment in which information technology systems operate is constantly changing. In the insurance business, the rate at which houses burn is relatively stable, and slight changes that occur over time can easily be taken into account. However, in the information technology industry, changes can occur on a weekly, monthly, or annual basis very rapidly. Therefore, the historical perspective type of approach is not suitable for assessing information technology security risks