Correlating Risk Findings to Quantify Risk

Research in quantitative Information Technology (IT) risk analysis has increased in the past decade, but much of that research has focused on creating new approaches that replace existing ones. Since organizations have extensive sunk costs invested in their risk management programs, there exists a need to extend and improve existing approaches. Additionally, many quantitative approaches are difficult to implement without mathematical expertise or specialized tools, focus on quantifying individual vulnerabilities, provide little insight into underlying process gaps affecting IT risk and do not facilitate including environmental factors in risk ratings. Our research focuses on identifying attributes or characteristics of risk that are missing from existing approaches, and quantifying their relevance using statistical analysis techniques. We seek to identify and quantify attributes that further close the gap between enumerating IT risks and understanding the actual risk they present. In this paper we identify the relationship between risk findings as a key attribute, and demonstrate using correlation to quantify the relationship. Correlation analysis enables organizations to uncover process gaps, and situations where default risk ratings may not be sufficient. In this paper, we discuss the benefits of correlating risk findings and demonstrate value and feasibility through an empirical case study.