Risk analysts appear to have a DIY mindset, turning to spreadsheets to conduct quantitative risk analyses with FAIR, the international standard model for cyber risk quantitative analysis. While there is nothing quite as satisfying for some as building a complex Excel workbook to achieve your goal, there is a better way.
Before you go ahead and create your own spreadsheet solution for FAIR analysis, consider these four important benefits to utilizing RiskLens (the only cyber risk analytics platform purpose-built on FAIR) in your organization over a traditional spreadsheet-based solution:
Data collection is often the most time consuming and vital part of any project. If you are like me then you have likely been in projects where you have spent what felt like an insurmountable amount of time in the data gathering stage – only to find out that you missed a variable or made an incorrect assumption, leading to reworking the entire data gathering process.
To avoid this issue, RiskLens guides you through the entire process from setting up your analysis to be scoped according to FAIR all the way through your data collection process. There are guiding questions for every aspect of the analysis with additional guidance descriptions -to make sure that you understand what the question is looking for. By doing so, the RiskLens tool enables the user to not miss any data required to complete a FAIR quantitative risk analysis.
Not only does the tool help you along the entire data collection journey, but it also utilizes data libraries that you are able to customize, save, and store in RiskLens. After creating the data libraries (with the help of the RiskLens Team), users are able to then apply those libraries to future analyses, applying consistent and dynamic data to analyses and creating robust and accurate results.
When it comes to collaboration on any document, spreadsheet, or analysis, organization is key. You may have been part of a group effort where different versions of the same document were floating around being worked on simultaneously. This often causes work to be performed twice, work to be lost, or even for team members to be confused on what version is correct and most up-to-date.
RiskLens has built-in views and capabilities that directly addresses this issue: auditing logs & assignments. When a change is made in any analysis, RiskLens automatically logs what changed, who made that change, and when that change was completed. Giving every one on the platform complete transparency and visibility on who is working on what and when.
Additionally, there is a capability within the tool that lets you assign particular users to analyses. This is a great way to segment and group users with analyses only relevant to them, creating organization and reducing clutter on a user’s dashboard.
Aggregation capabilities is another major benefit of RiskLens over traditional spreadsheet methods. In a traditional spreadsheet approach, you are limited to one effect or threat actor per scenario you are analyzing. In order to consider the impacts of multiple events at once, you are forced to rely on simple addition alone which does not accurately represent the holistic loss exposure from all in scope events. This limits your ability to assess complex scenarios with multiple threat actors, assets, and effects in a realistic manner and make defensible risk-based decisions.
With RiskLens, aggregation capabilities allow you to analyze multiple effects and threat actors into one scenario. By doing so, you are able to see the total loss exposure the organization is facing with all relevant events considered, as well as the ability to look into each event independently of the others.
When you want to add any updates to an analysis you are able to save and lock and version your analysis. A saved and locked analysis can no longer be adjusted, and the results can be used in advanced reporting such as comparisons. Using this feature makes your analysis a benchmark.
After saving and locking you are able to version your analysis. Versioning an analysis creates a new analysis with the current analysis as the parent. Your analysis will be automatically copied, and the scope of the new analysis may be modified for easy and built-in organization. Versioning is a fantastic way to incrementally work on any analysis with clear parent/child. You never have to worry about if you or your team members are working on the most up-to-date analysis.
Another organization risk to any multi-person project is inefficient usage of time. When you have a system or document that allows one person to have access at a time – the others sit idly by. In RiskLens you are able to have multiple users signed in and working on the same analysis simultaneously. With autosave features, all users see in real time updates and can work collaboratively on parts of the analysis. This saves time, creates transparency, and increases productivity for any analysis.
Here is an example of advanced reporting available in RiskLens. This is a comparison report the tool can generate based upon analyses that you select and group together.
Building an analysis is a big undertaking. But ultimately, the most important part of the exercise is the next steps: reporting and analyzing results. Creating effective and meaningful reports from analysis results is just as important as the analysis itself. If you are not able to communicate your findings to decision makers, then what did you do the analysis for? RiskLens has built in reporting that users are able to take advantage of.
After you complete any analysis you are taken to a page with automated reporting results showing the annualized loss exposure as well as reports on the areas where loss materialized. There are also summary reporting results from every aspect of your analysis that are easy to digest. In addition to being viewable in the platform, the reports are also exportable, allowing you to place into findings presentations for decision makers.
Additionally, due to versioning capabilities, there are built in “What If” reporting capabilities in the tool, allowing for sensitivity analyses to be conducted on the original analysis. All of these built in reporting tools are user friendly and effective and allow for greater consistency in reporting.
Although an advanced spreadsheet may be capable of computing very basic FAIR analyses, it lacks the additional crucial components to creating an effective analysis, such as the use of ranges, rationale, scoping, Monte Carlo calculations, and many more. Creating a sophisticated spreadsheet is no easy task. It can take weeks or even months of work to add in working functions and formulas.
Now rather than having to create a giant spreadsheet including all sorts of features and formulas on your own with no guidance – imagine a tool that already encompasses every function you need to complete your FAIR analysis. You don’t need to code, format, or design anything on your own. You don’t have to second guess yourself every step of the way on if you are going in the right direction or missing any requirements. RiskLens has built in scoping, ranges, Monte Carlo simulations, and rationale capabilities with built in descriptions and guidance the whole way.
RiskLens is a tool designed to help users every step of the process to create accurate, defensible, rigorous FAIR quantitative risk analyses.
Next steps: Get FAIR-U; a web app that allows you to try FAIR (Factor Analysis of Information Risk), the powerful model behind the RiskLens platform, for free. FAIR-U empowers you to create and quantify single-scenario FAIR risk analyses. Additionally, it is a training platform for both individuals and universities. For a demonstration of the enterprise-level RiskLens CRQ Platform, contact our sales team