Here at RiskLens, one of our passions is quantifying (in dollars and cents) things that some say cannot be quantified. This is the second in a series of posts exploring examples of quantified risks.
What we covered so far
In the first entry to this series we covered the elements of quantification and explained who is quantifying risk. The following example explores a more complex policy and enforcement problem faced by organizations with databases of varying sizes consisting of sensitive data such as customer personally identifiable information (PII).
To encrypt, or not to encrypt
What do you do when charged with encrypting all of your PII in your databases? Most reasonable cybersecurity practitioners would understand the expensive nature of the expectation. What this company did using RiskLens might surprise you.
The technology risk team used RiskLens' Cyber Risk Quantification application to measure:
- the current risk without encryption versus the forecasted risk with encryption
- the changes in loss exposure based on PII record counts in databases
They were able to make a risk-based decision regarding when encryption is required, when it is recommended, and when it is OK not to encrypt.