Section: Volume D

Section: Volume D

Qualitative measures are methods of expressing risk levels using descriptive terms, such as high, medium, or low, based on subjective criteria, such as likelihood, impact, or severity. Qualitative measures are often used to identify and prioritize risks, and to communicate risk information to stakeholders1.
Residual risk is the level of risk that remains after the risk response has been implemented. Residual risk reflects the effectiveness and efficiency of the risk response, and the need for further action or monitoring2.
Emerging threats are new or evolving sources or causes of risk that have the potential to adversely affect the organization's objectives, assets, or operations. Emerging threats are often characterized by uncertainty, complexity, and ambiguity, and may require innovative or adaptive risk responses3.
The best reason to use qualitative measures to express residual risk levels related to emerging threats is that qualitative measures are better able to incorporate expert judgment. Expert judgment is the opinion or advice of a person or a group of people who have specialized knowledge, skills, or experience in a particular domain or field. Expert judgment can help to:
* Provide insights and perspectives on the nature and characteristics of the emerging threats, and their possible causes and consequences
* Assess the likelihood and impact of the emerging threats, and their interactions and dependencies with
* other risks
* Evaluate the suitability and effectiveness of the risk responses, and their alignment with the organization's risk appetite and tolerance
* Identify and recommend the best practices and lessons learned for managing the emerging threats, and for improving the risk management process45 Qualitative measures are better able to incorporate expert judgment than quantitative measures, which are methods of expressing risk levels using numerical or measurable values, such as percentages, probabilities, or monetary amounts. Quantitative measures are often used to estimate and analyze risks, and to support risk decision making1. However, quantitative measures may not be suitable or feasible for expressing residual risk levels related to emerging threats, because:
* Quantitative measures require reliable and sufficient data and information, which may not be available or accessible for the emerging threats
* Quantitative measures rely on mathematical models and techniques, which may not be able to capture or reflect the complexity and uncertainty of the emerging threats
* Quantitative measures may create a false sense of precision or accuracy, which may not be justified or warranted for the emerging threats
* Quantitative measures may be influenced or manipulated by biases or assumptions, which may not be valid or appropriate for the emerging threats67 Therefore, qualitative measures are better able to incorporate expert judgment, which can enhance the understanding and management of the residual risk levels related to emerging threats.
The other options are not the best reasons to use qualitative measures to express residual risk levels related to emerging threats, but rather some of the advantages or disadvantages of qualitative measures. Qualitative measures require less ongoing monitoring than quantitative measures, because they are simpler and easier to apply and update. However, this does not mean that qualitative measures can eliminate or reduce the need for monitoring, which is an essential part of the risk management process. Qualitative measures are better aligned to regulatory requirements than quantitative measures, because they are more consistent and comparable across different domains and contexts. However, this does not mean that qualitative measures can satisfy or comply with all the regulatory requirements, which may vary depending on the industry or sector. Qualitative measures are easier to update than quantitative measures, because they do not depend on complex calculations or formulas. However, this does not mean that qualitative measures can always reflect the current or accurate risk levels, which may change over time or due to external factors. References =
* Qualitative Risk Analysis vs. Quantitative Risk Analysis - ISACA
* Residual Risk - ISACA
* Emerging Threats - ISACA
* Expert Judgment - ISACA
* Expert Judgment in Project Management: Narrowing the Theory-Practice Gap
* Quantitative Risk Analysis - ISACA
* Quantitative Risk Analysis: A Critical Review
* [CRISC Review Manual, 7th Edition]

Residual risk is the risk that remains after security controls have been implemented on a system. Residual risk can be accepted, transferred, avoided, or further mitigated. The most important consideration when deciding whether to accept residual risk is the cost versus benefit of additional mitigating controls. This means comparing the potential impact of the residual risk with the cost and effectiveness of implementing more controls to reduce it. If the cost of additional controls outweighs the benefit of reducing the residual risk, then it may be acceptable to accept the residual risk. However, if the benefit of additional controls exceeds the cost, then it may be advisable to implement more controls to lower the residual risk to an acceptable level. References = Risk and Information Systems Control Study Manual, Chapter 3: Risk Response and Mitigation, Section 3.4: Risk Response Selection, p. 156-157.

A high-risk vulnerability in an application is a system flaw or weakness in the application's code that can be exploited by a malicious actor, potentially leading to a security breach. The risk associated with a high-risk vulnerability in an application is the possibility and impact of such a breach occurring. The risk owner of a high-risk vulnerability in an application is the person or entity who has the authority and responsibility for managing the risk. The risk owner should be able to define the risk appetite, assess the risk level, select and implement the risk response, monitor and report the risk status, and ensure the risk alignment with the business objectives and strategy. The risk owner of a high-risk vulnerability in an application is the business unit, which is the organizational unit that operates the application and derives value from it. The business unit understands the business needs and expectations of the application, and the potential consequences of a security breach. The business unit also has the resources and incentives to address the risk effectively and efficiently. Therefore, the business unit is the most appropriate risk owner of a high-risk vulnerability in an application. References = Why Assigning a Risk Owner is Important and How to Do It Right, CRISC 351-400 topic3, Foundations of Project Management : Week 2.