Quantum Risk Assessment

Adding quantum-safe considerations to your security risk assessment program.

Companies that conduct risk assessments need to consider the effect of quantum computing on their information assets today. By 2023 security regulations will change because of updated NIST cryptographic algorithm recommendations that will trigger the first tranche cybersecurity migrations. When fault-tolerant quantum computation is achieved in research labs, the race will start to upgrade security protections against the imminent threats posed by quantum computers.

Quantum computers harness the computational power of quantum systems and offer the ability to solve computational problems previously thought to be intractable. Unfortunately, since 1994 we have known that quantum computers will also break some of the pillars of our cybersecurity infrastructure. This includes breaking factoring and discrete logarithm based public key cryptography, and weakening symmetric key cryptography.

The quantum threat can be mitigated by deploying new cryptographic tools that are believed or known to be resistant to quantum attacks. The transition to quantum-safe cryptography is a tremendous challenge, and the urgency for any particular organization to complete this transition for a particular cyber system relies on three simple parameters.

  • Let x be the security shelf-life of the information being protected by the system.
  • Let y be the number of years to migrate the system to a quantum-safe solution (the migration time).
  • Let z be the threat timeline, the number of years before the relevant threat actors are able to break the quantum-vulnerable systems.

If x+y>z, then organizations will not be able to protect their assets for the required x years against quantum attacks.

If y>z, then information systems protected by public-key cryptography are vulnerable to systemic collapse.

Depending on the complexity of the system and ecosystem in which the system lives, y can range from several years to decades. Managing the transition proactively will lead to a more robust implementation. In contrast, rushing the transition or managing as a crisis, will not only be disruptive and expensive, it will result in a flawed implementation that is more susceptible to conventional cyber attacks. Thus a proactive approach is critical. Not only must legacy systems be made ready for the quantum future, but also new systems need to be designed to be ready for the threats posed by emerging quantum technology.

The goal of a Quantum Risk Assessment (QRA) is to identify information assets that are potentially vulnerable to quantum threats and recommend mitigation measures, safeguards and controls that can be employed to proactively secure and protect against future threats, particularly quantum attacks.

Key Contacts

John Mulholland

Director, Quantum Risk Management

John leads our quantum threat and risk assessment business to help organizations understand and manage their cyber security issues. John has worked with organizations in government and industry to assist the migration of their systems and practices to quantum-safety.

Brian Neill

VP, Product & Business Development

Brian is a Certified Information Systems Security Professional (CISSP) with a career spanning 20 years in cybersecurity companies building software products and managing cyber security risk.

Quantum Risk Assessment Methodology

Read about the evolutionQ QRA methodology.


Quantum Threat Timeline

How long until fault tolerant quantum computers can break cybersecurity?

evolutionQ and the Global Risk Institute assess the timing of the threat.