How Sensitivity Analysis Can Help Identify Your Best Risk Reduction Levers

January 24, 2019  Bryan Smith

The goal of every risk management program should be to cost-effectively achieve and maintain an acceptable level of risk. How do you know if you have an acceptable level of risk? Across an entire enterprise how do you know where to look? Which systems matter most?

These questions are where the FAIR™ risk model shines as a risk sensitivity analysis model. By providing quantified results for loss event frequency and loss magnitude and articulating the resulting loss exposure in monetary terms, Factor Analysis of Information Risk (FAIR) makes it easy to see what matters.

Once you know what matters you can start focusing on the cost-effective part. So now can you start asking where can my budget dollars have the biggest impact? What am I doing that matters the most? For these questions, the RiskLens platform offers sensitivity analysis.

What is risk sensitivity analysis?

Sensitivity analysis is a statistical technique to test models. When weather forecasters create a forecast model, they use sensitivity analysis to test it. It determines which of the many factors a model can have, actually matter in the grand scheme of things. Example: Does the day of the week let us know if it will rain at 11am (probably not). As in the real world, not everything you're doing--or in model terms, not all the factors--have the same level of impact. This is what sensitivity analysis finds: What model factors matter the most.

In RiskLens' cyber risk quantification platform, the model factors you test are your inputs into the FAIR model. This allows you to find which improvements in your risk management practices will have the most impact in terms of possible risk reduction.

How does risk sensitivity analysis work?

The RiskLens platform does sensitivity analysis for you. Which is good, because doing it manually would be a lot of work. Each input into the model must be tested in isolation. That means you would test (e.g. change) one input. Then rerun the analysis. Then when it's run, you'd have to compare the results to the original. For each of the inputs in your analysis. That's a lot of analyses.

The more tests you want, the more times you would have to do this process. The RiskLens platform does four tests per input. So you can see the range of impact possible from a small to a large risk management change.

For example, a very basic FAIR scenario with four inputs (Loss Event Frequency and the three Loss Magnitude Inputs) would need 16 tests. In other words, 16 more analyses. In an average analysis, such as one with 8 scenarios and 12 inputs each, you would need hundreds of analyses (384!).

But RiskLens does all the extra analyses for you and displays them in order of largest impact.

What does sensitivity analysis tell you?

There are two types of tests you can run on an input, a positive test and a negative test. In a positive test, you measure the opportunity of an improvement to your risk landscape. In a negative test, you can find which factors in your risk landscape matter the most.

As an example, a positive test for the resistive strength input is one that increases your resistive strength. For some situations, an increase may not matter (for example, when the threat actors' capability is very low). When the test matters, you will see a decrease in total loss exposure. Further investigation of the scenario will lead to ideas to increase resistive strength. You can then use our ROI comparison reporting to evaluate your options.

For example, if you add a new Web Application Firewall (WAF) to a web application: Does the cost of the new WAF have a large enough ROI in terms of decreased loss exposure vs. cost to implement?

The Risk Reduction Factor identifies the type of changes you can make to reduce risk. In this scenario reducing Threat Activity, such as with a Web Application Firewall could lead to the largest reduction.

In a negative test, you measure what happens when resistive strength decreases. For example, what if you spent less time validating control states? You may have less visibility, which could lead to a lower Resistive Strength. Less visibility may not matter for some assets, such as a development environment. So the takeaway, dependent on the scenario, is an evaluation of where to spend your time. As always, context is king.

Sensitivity analysis lets you focus on what matters

The beauty of sensitivity analysis is two-fold. It can identify opportunities. And second, it can identify what you're doing that matters, allowing you to take your best shot at cost effectively managing your risk.

Update: 

The RiskLens platform now offers Risk Treatment Analysis, as an advanced format for sensitivity analysis. Risk Treatment Analysis allows organizations to assess and compare risk treatment options, and demonstrate the ROI of controls investments for reducing cyber risk. Contact RiskLens to learn more