If you’ve had your ‘aha’ moment with the FAIR model and grok how it breaks down cyber risk into component parts that you can reassemble into actual dollars-and-cents analysis, you’re likely now looking for ways to get beyond the thought experiment. You’re a leader in the coming cyber risk revolution and understand that the revolution will be quantified!
It is time to show you how you can get your hands dirty with some real-world application of FAIR via the RiskLens platform. So, here are some tested use cases that our clients typically run with RiskLens out of the box (and after some tailored training) that make a real impact on their organizations.
These are just ‘scratch the surface’ examples of how you can rapidly change the understanding of cyber risk inside your organization – the possibilities are boundless.
For many companies, cyber risk registers are a “file and forget” tool for disposing of compliance issues, possible threats and other agenda items that may be more areas of concern rather than actual risks — plus actual risks not prioritized by any consistent system.
With a FAIR analysis, and the RiskLens platform, you can stop the guesswork and sort out which risks truly represent potential loss events for the company, then quantify the impact of those risks. The end result: a truly useful cyber risk register.
By now, the trend in government regulation is clear, looking at the upcoming implementation of the European Union’s General Data Protection Regulation (GDPR), the rollout of the New York Department of Financial Services (DFS) cybersecurity regulations and the recent disclosure guidance from the U.S. Securities and Exchange Commission: companies need to change the way they measure cyber risk and drive towards a quantified understanding of potential business impact.
Read our case study for a classic example: a financial services company used RiskLens to first determine its exposure in the event of data breach, then assess the cost vs. benefit of various forms of file encryption for customer data.
RiskLens and FAIR offer a sound, and relatively speedy way to analyze where mitigation (people, tools or processes) would most effectively reduce cyber risk – or to evaluate a vendor’s claim that buying an application or outsourcing would be worth the investment. The RiskLens application is, in effect, a guided way to build a business case, walking users through gathering data on the frequency of cyber threat events and the magnitude of potential losses, then running scenarios on how competing controls might perform on risk reduction.
Insurance as an industry runs on risk quantification, but that’s based on long histories of good data. Cyber insurance has been the exception – outside of the cost of data breaches of personally identifiable information (where direct costs are pretty well established), loss data on common cyber threats such as ransomware aren’t readily available and insurance policies are inconsistent.
That puts the burden on the insured to clearly understand what their critical assets are and how much are they worth. The RiskLens platform fills in the knowledge gap by providing a structured way to gather data within a company, combining it with industry and proprietary loss data that RiskLens has gathered, then make calibrated estimations of a range of potential losses that the company can compare to its risk appetite and ultimately make an informed decision on how much coverage to buy.