How to Improve the Cyber Risk Signal-to-Noise Ratio

Signal-to-noise ratio (SNR) is a measure used in science and engineering that compares the level of a desired signal to the level of background noise. It is defined as the ratio of signal power to the noise power, often expressed in decibels.Signal-to-Noise Ratio in GRC

This week, I met with one of our customers and we discussed how a large GRC (governance, risk management and compliance software) implementation still didn’t solve a critical problem within the risk management function. They boiled it down to SNR. From a personal perspective, SNR is not a difficult concept to relate to. Every day, your email inbox is inundated with large volumes of emails, some extremely valuable – while most irrelevant – the result of which is your SNR.  Much of the noise is eliminated with technology and people, i.e. spam filters and dependable executive assistants! The desired effect is obviously to filter out the noise and focus on the signal.

This problem is exponentially more complex when evaluating the barrage of cybersecurity risks facing an organization on a daily basis. In most organizations, these risks are sometimes defined as findings or issues within a GRC system. Our customer stated that somehow their risk analysts needed to filter through all the noise to determine which findings (signals) needed additional analysis to determine the probable impact to the business. Their ultimate goal is to make well-informed strategic and tactical mitigation decisions. RiskLens developed an application specifically to solve the SNR problem.

Improving SNR for Cyber Risk

RiskLens customers are using Cyber Risk Triage as their rapid risk assessment tool to help determine which new cyber risk scenarios deserve a full quantitative risk analysis. Key use cases include:

  • Quantifying the potential loss exposure driven by risk scenarios as they emerge 
    • Improving their risk assessment posture from reactive to proactive by modeling risk scenarios and quickly estimating the potential loss exposure in dollars & cents
    • Embedding quick risk assessments as part of program & project management processes
  • Making well-informed prioritization decisions based on financially-focused risk data
    • Evaluating the significance of new exploits and changes to the risk landscape
    • Prioritizing which risk scenarios deserve a comprehensive risk analysis
    • Quickly assessing the true business significance of audit findings, security assessment results, and other potential sources of noise