Quantum Risk Assessment
A proven risk-based approach to determining your organization's exposure to quantum threats.
Understand your exposure to quantum computing threats
Assessment of your organization’s cybersecurity preparedness for quantum computing threats. Early identification of specific weaknesses in your organization’s cryptographic defences.
Planning your future quantum security initiatives
Prioritize the information assets and IT systems that require attention now versus the systems that can afford to wait.
Consider quantum vulnerabilities on new projects or legacy systems
Initial steps in a quantum-safe migration plan that focuses on business value with an eye towards sensible prioritization.
What does the Mosca Inequality say about your organization?
Quantum computers, once seen as a remote theoretical possibility, are now being developed by some of the largest computing companies in the world, and there is a material risk that within 5 to 10 years they will be able to decrypt sensitive data being communicated today. It is important that businesses relying on secure communications examine the issue and assess their quantum risk.
Actionable QRA Reports
The final outcome of our QRA service is a report that helps your business identify and prepare for upcoming quantum computing threats. A typical QRA report will include:
- Identification of assets and their current cryptographic protection.
- Identification of potential threat actors and estimation of the time until they can access quantum technology.
- Description of boundaries involving partner interconnected systems.
- Risk determination that considers time required to fix prior to assets becoming vulnerable to quantum threats.
- Prioritized list of follow-up activities to help migrate your organization to a quantum-safe state.
Our QRA Approach
evolutionQ conducts QRAs remotely or on-site depending on your organization's service preference. We follow a standardized NIST Risk Management Framework approach when conducting our QRAs.
- Project Kickoff
Discussion of goals, expectations, contacts, and review of the project plan and timeline. Typically takes 1 week. - Information Gathering & Interviews
A documentation review and interviews with stakeholders performed over a period of 4 weeks. - Review and Analysis
Assessment of your IT security controls, gaps, and deficiencies in the context of quantum computing threats. - Report Delivery
A final report with recommended priorities and guidance to help mitigate risk of quantum computing threats and suggestions on timing to resolve.
Are suppliers and partners quantum-safe?
evolutionQ's team can reveal which suppliers and partners could promote or slow an organization’s progress to quantum safety.
This initial step in a quantum-safe migration plan focuses on the business value and sensible prioritization.
A Detailed Look at QRAs
For more information about QRAs and how they are performed, you can download and read our paper published with the Global Risk Institute "A Methodology for Quantum Risk Assessment".
FAQ'S
An evolutionQ Quantum Risk Assessment (QRA) offers several benefits for organizations concerned about the potential impact of quantum computing on their cybersecurity.
The QRA provides a comprehensive assessment of an organization's preparedness for quantum computing, which can help to identify areas of vulnerability and potential threats. This assessment considers how an organization's current cryptographic defences will fare against the exponentially increased computing power of quantum computers.
A QRA with evolutionQ can reveal specific weaknesses in an organization's cryptographic defences. This can help organizations prioritize their efforts to enhance their cybersecurity measures and take steps to protect their valuable data and intellectual property.
The assessment can identify suppliers and partners who may have a significant impact on an organization's progress toward quantum safety. By identifying these parties, organizations can take steps to collaborate with them to improve cybersecurity or minimize any negative impact.
A QRA is often the initial step in a quantum-safe migration plan that focuses on business value with an eye towards sensible prioritization. By starting with an assessment of their current situation, organizations can develop a roadmap for their migration to quantum-safe technology and prioritize their efforts to minimize disruption and maximize value.
Overall, this effort provides valuable tool for organizations to better understand the potential impact of quantum computing on their cybersecurity and to develop a proactive plan to mitigate risk and protect their valuable assets.
A Quantum Risk Assessment (QRA) is conducted as a series of discussions between the QRA project lead and organizational experts in various domains within the project scope. This process does not require or involve direct interaction with the technical infrastructure or sensitive information. The goal is to provide a comprehensive overview of the organization's risk landscape and inform decision-making on how to manage quantum risks. The topics that will be explored during this process include:
Business Architecture
- This area of discussion is intended to establish an understanding of the corporate environment in which business functions operate.
- This includes: a high-level view of the organizational structure, a definition of the business functions within the scope, external business entities and their role relative to the organization, training and resources assigned to employees, specifically security and technology departments, a high level description of the quantity and type of sensitive information, and an overview of the corporate decision-making process.
Technology Architecture
- Technology architecture refers to the processes, systems and networks that make up the infrastructure supporting the business function.
- This includes: system and network diagrams to furnish a high level understanding of internal and external delivery of information; inventory and life-cycle management for systems, critical technology and applications; any cloud or internet-based services with access to sensitive information, including applications, databases, document management systems or other repositories, tools and processes that furnish employees with remote access to sensitive data, systems, tools; and applications that rely on or furnish security capabilities or cryptographic keys or functions
Policy, Training & Security
- This discussion is broader in scope than the specific architecture and functions being analyzed. Here we review organizational policies, practices, training and other factors that establish the framework that governs all operations within the entire organization.
- This includes: policy/guidance documents relating to information management, processes for enforcing security, role definitions for any roles with privileged access to data, other recent risk assessments, types of Threat Actors relevant to the organization, external organizations who may receive security reports and level of awareness of quantum technology.
A Quantum Risk Assessment (QRA) is crucial for organizations as it helps them to prepare for the emerging threat of quantum computing. Quantum computers have the potential to break current cryptographic methods, which can have severe consequences for organizations that rely on these methods to protect their sensitive data.
By conducting a QRA, organizations can identify the specific systems and data that are most vulnerable to quantum threats, prioritize their efforts to enhance cybersecurity measures, and develop a plan to protect against future quantum attacks. The QRA provides an organization with a comprehensive overview of their risk landscape, enabling informed decision-making regarding how to manage quantum risks.
Through the QRA process, domain experts within the organization can evaluate business-critical systems and sensitive data that are most exposed to quantum computing threats. By exploring Business Architecture, Technology Architecture, and Policy, Training & Security, practitioners can identify areas of vulnerability and recommend safeguards to protect against future quantum attacks.
In summary, Quantum Risk Assessment is important because it helps organizations to understand the potential impact of quantum computing on their cybersecurity and develop a proactive plan to mitigate risk and protect their valuable assets. By conducting a QRA, organizations can identify their most vulnerable systems and data, prioritize their efforts to enhance cybersecurity measures, and provide customers with the peace of mind they deserve.
A Quantum Risk Assessment (QRA) is a comprehensive evaluation of an organization's information assets and systems to identify areas that are vulnerable to quantum threats and recommend safeguards that can be employed to secure and protect against future quantum attacks.
The primary goal of a QRA is to ensure the continued security and confidentiality of an organization's data, which can provide peace of mind to customers and stakeholders. The assessment is a proactive planning exercise that helps organizations prepare for the quantum computing threat by identifying business-critical systems and sensitive data that are most exposed to quantum computing threats.
QRA practitioners use risk assessment techniques that are based on the Mosca Inequality, which considers the value of data, the future value of confidentiality, and the time needed to perform a quantum-safe migration. By evaluating an organization's IT and cybersecurity systems, QRA practitioners can identify areas of vulnerability and recommend safeguards to protect against future quantum attacks.
Overall, a Quantum Risk Assessment is an important tool for organizations to proactively plan for the quantum computing threat and protect their valuable data and assets. By conducting a QRA, organizations can identify their most vulnerable systems and data, prioritize their efforts to enhance cybersecurity measures, and provide customers with the peace of mind they deserve.