“I want to quantify my cyber risk using the FAIR risk model. Now I need to make a decision: build a spreadsheet or use a commercially available software such as RiskLens.” Have you had this conversation with yourself?
We’ve heard people say this on quite a few calls. It’s exciting because more and more organizations are adopting FAIR and are moving towards quantifying their cyber risk. That being said, home grown solutions - specifically spreadsheets - aren't necessarily the answer.
Don’t get me wrong, as a math graduate, I LOVE SPREADSHEETS! Programming, color coding, and making them easy for other people to use and navigate. However, there are times when I bang my head against a wall trying to figure out why the yellow diamond with an exclamation point is suddenly my answer instead of a numeric value I was expecting.
Am I using the spreadsheets to quantify cyber risk? No, rather for much easier tasks. So, I can imagine the headache accompanied with the implementation of Monte Carlo simulations only to get the bothersome “#VALUE” output. Are there other frustrations with going the spreadsheet route? Yes, like:
1) Delayed start of quantification
It takes time to build a spreadsheet. If analysts are tasked today to make a spreadsheet to quantify cyber risk, it could take months or even up to a year for a quantification spreadsheet to be up and working.
2) Things are figured out as you go
At first, it might seem like it will be a piece of cake to make a spreadsheet that is able to quantify your cyber risk. Then as the spreadsheet is being built, it becomes clear that more information is needed from different disciplines – cyber, finance, risk, math, etc. – making it hard to incorporate multi-disciplinary knowledge and formulas from all.
3) Spreadsheets are static
This is problematic if multiple analysts are working on one spreadsheet. They must send the spreadsheet to one another and make sure the newest version is being edited. Don't forget that if new values are inputted into new cells then you have to run another simulation to get the updated scenarios.
4) Spreadsheets are time consuming
There are hundreds to thousands of cells that analysts will be working on. This increases chances of inputting information to the wrong cell. Better yet, copy and paste errors - which lead to #REF, #ERR, and #VALUE outputs. Meaning more time editing the spreadsheet than actually running analyses.
5) Spreadsheets can't aggregate risk scenarios
If analysts are able to get a spreadsheet up and running, it would most likely be the case that only the loss exposure of a single analysis can be calculated. That might be a problem, as one of the main reasons to quantify cyber risk in the first place was to compare scenarios, calculate ROI and prioritize risks and risk mitigations.
Wouldn’t it be nice to start quantifying and reporting on your cyber risk now, rather than spending a lot of time and resources to come to the above mentioned conclusions, like many analysts before you?