I recently ran an analysis for a major bank that I think shows the power of both the FAIR Model for thinking through cybersecurity investment decisions and the power of the RiskLens CRQ platform for quickly running the numbers to support those decisions, often with surprising results. Here are the details:
The bank was concerned about defending itself against fraud – not the one-off variety of stolen identities impersonating customers online but fraud based on a massive, stealthy attack on the bank’s customers that would drain bank accounts over time. Bank management wanted to know their probable risk and their best cybersecurity defense: They thought that multi-factor authentication would be the answer but didn’t know how to deploy it for maximum return on investment.
Applying the FAIR methodology, our RiskLens analyst team was able to clarify a complicated set of dependencies. Interviewing the bank’s risk managers, we realized the analysis actually covered two risk scenarios:
- A breach of their data warehouse storing confidential customer logon credentials
- The use of those credentials through the online banking application to loot the customers’ bank accounts
So, to give the bank a complete picture of its loss exposure, we would first have to estimate the likelihood and impact of the data breach, then do the same for the online fraud.
We tackled the data warehouse first, and quickly ran into a common (perceived) roadblock: The bank had never suffered a breach and thought it lacked the historical record to run a risk analysis.
Leveraging the expertise of the bank’s cyber staff and industry data compiled by RiskLens, we were able to make a calibrated estimate, in other words, determine a useful range of probable frequency for a breach (using the RiskLens application’s Monte Carlo engine to do the math). We could then feed that into the second analysis for the fraud.
Now we had an analysis of the Current State of the bank’s risk of this type of attack (an average $2.5 million annualized) and could move on to running scenarios for what-if, Future State analysis, of applying controls to reduce Current State risk.
We looked at the bank’s first controls option, multifactor authentication (MFA), at two levels: for access to the database, and for access to the customer-facing, online banking application. As you can see in the results chart, MFA at the application level and database level would accomplish similar risk reduction (though at the application level would have an extra disadvantage of annoying customers).
Then we suggested to the bank that, as a reality check, we run a Future State with a different control: encryption of data at rest. The result, as you can see, was far ahead in overall risk reduction for the bank compared to MFA and Current State: an annualized average loss exposure of just $89,000. And thanks to the flexibility of the RiskLens application, running extra scenarios only took a few minutes.
The Wall Street Journal recently covered Charles Schwab's use of the FAIR Model. The Journal's comment: "This risk-based system can help companies better understand the costs of cyber threats." Read more.