User Participation In The Risk Management Process

This week, students were expected to carry out a Week 2 Seminar activity during which the prepared format of choice would have been discussed during the seminar. The activity instructions were to read the Spears & Barki (2010) article and prepare answers to the following questions:

  1. How did the authors use both Qualitative and Quantitative assessment approaches? What benefits did each approach yield?
  2. What do the authors list as the advantages of involving users in the risk management process?
  3. Based on the findings of the research: a. How will the lack of user access affect the risk assessment you will carry out as part of your assessment? b. Will it affect the choice of Qualitative vs. Quantitative assessment methods you utilize? c. How might you mitigate any issues encountered?

Before addressing the above questions, here is a brief review on what exactly is meant by Qualitative vs. Quantitative risk assessment methods.

Qualitative Method

Qualitative risk assessment is an approach used to evaluate risks based on subjective judgments rather than numerical data. It focuses on identifying and prioritizing risks based on their potential impact and likelihood, typically using descriptive scales rather than precise measurements. Qualitative risk assessment is frequently utilized in situations where there is a lack of data or when it is challenging to accurately quantify risks. (ComplianceBridge 2019)

Quantitative Method

Quantitative risk assessment (QRA) is an approach used to assess risks based on numerical data and calculations. Unlike qualitative risk assessment, which relies on subjective judgments, QRA involves the use of mathematical models, statistical analysis, and probability theory to quantify the potential impact and likelihood of risk events. (Falck, A. N.D)

Addressing the seminar questions:

  1. How did the authors use both Qualitative and Quantitative assessment approaches? What benefits did each approach yield? Spears and Barki (2010) employed qualitative and quantitative assessment methods in their study on user involvement in managing security risks in information systems. They utilized a research approach that included both interviews and surveys to collect information. The qualitative part comprised semi-structured interviews to investigate the research question and extract insights from interview data. On the other hand, the quantitative aspect involved survey tools containing questions based on qualitative findings, literature, pretests, and pilot studies. The authors were able to analyze user participation in security risk management, determine outcomes, verify constructs, and test hypotheses successfully by combining these two approaches. They were able to offer a thorough examination of user activities related to security controls for compliance by merging qualitative depth with quantitative measurability.

  2. What do the authors list as the advantages of involving users in the risk management process? The authors list several advantages of involving users in the risk management process:
    • Enhanced Security Control Performance: Participation of users was discovered to improve security control performance through heightened awareness, alignment of security risk management with the business landscape, and enhancement of control development.
    • Valuable Resource: The study disputes the idea that users are a vulnerability in security and instead argues that they can contribute important business insights to enhance security measures. (Kreiser, J. 2023)
  3. Based on the findings of the research: a. How will the lack of user access affect the risk assessment you will carry out as part of your assessment? The lack of user access can significantly impact risk assessment in several ways:
    • Inadequate Risk Identification: If user access is not granted, accessing vital systems and data essential for a thorough risk assessment may be restricted. This could result in gaps in recognizing possible risks and vulnerabilities within the organization.
    • Incomplete Risk Analysis: An inadequate level of user access can prevent a comprehensive assessment of security measures, resulting in a lack of understanding of the organization’s risk profile. This could lead to neglecting important vulnerability points.
    • Limited Risk Mitigation: Implementing effective risk mitigation strategies can be difficult when users do not have access to critical system information. This restriction may leave the organization vulnerable to possible risks and weaknesses.
    • Impaired Decision Making: Lack of user access can hinder the decision-making process regarding risk assessment, as key stakeholders may lack the information needed to make informed decisions about risk management strategies.

Essentially, without user access, risk management process may be compromised, posing a threat to the organization’s security and compliance. (Froehlich, A. 2021)

b. Will it affect the choice of Qualitative vs. Quantitative assessment methods you utilize? Qualitative Assessment: If data or systems are only accessible to a limited number of users, methods such as interviews, observations, and focus groups may be more appropriate for assessing quality, as they provide direct insights from users or stakeholders. Quantitative Assessment: Quantitative evaluation methods that depend on numerical data and statistics may encounter difficulties when user access is limited. User access to essential information may influence the selection of quantitative methods. If obstacles obstruct the gathering of data for quantitative analysis, qualitative methods may be more suitable. c. How might you mitigate any issues encountered? There are various ways to mitigate these issues, some of which are: Combining Methods: Using a hybrid approach that integrates qualitative and quantitative methodologies. This method enables researchers to utilize the advantages of each approach while also addressing their individual shortcomings. Clear Research Design: Creating a distinct research plan that details the methodology, data collection methods, and analysis techniques, can ensure consistency and transparency in the research. (GoContractor 2017).

References: ComplianceBridge (2019). Qualitative & Quantitative Risk Assessment Process. [online] ComplianceBridge. Available at: https://compliancebridge.com/quantitative-risk-assessment/. [Accessed 15 March 2024]

Spears, J.L and Barki, H. (2010). User Participation in Information systems Security Risk Management. [online] Available at: https://www-jstor-org.uniessexlib.idm.oclc.org/stable/25750689?seq=3 [Accessed 15 Mar. 2024].

DNV (N.D). Quantitative Risk Assessment. A formal method for understanding the risk of potential hazards to an asset. Available at https://www.dnv.com/services/quantitative-risk-assessment-1397/ [Accessed 15 March 2024]

www.claconnect.com. (n.d.). Top 6 Benefits of Enterprise Risk Management. [online] Available at: https://www.claconnect.com/en/resources/articles/2023/top-6-benefits-of-enterprise-risk-management. [Accessed 15 March 2024]

SearchSecurity. (n.d.). The top 7 identity and access management risks. [online] Available at: https://www.techtarget.com/searchsecurity/answer/What-are-some-of-the-top-identity-and-access-management-risks. [Accessed 15 March 2024]

GoContractor. (2017). Safety Risk Management : Qualitative Vs Quantitative Risk Analysis. [online] Available at: https://gocontractor.com/blog/safety-risk-management-qual-vs-qty/. [Accessed 15 March 2024]