Detailed Versus High-Level Cyber Risk Analysis: A Balancing Act

Which one is better? This is a question I get asked a lot. Before I answer though, allow me to briefly describe them both.

High-level risk analysis often refers to scoping, and tackling a group of assets or threats all at once. For example, a customer recently completed a single risk analysis of over 200 web applications maintained by the organization. Detailed risk analysis would have taken that same scope, but an individual analysis would be performed over each application separately.

So back to the debate: which one is better? It depends

Take a look at the objectives

If you are being asked to inform others on the overall risk, then performing a high-level analysis may be sufficient. If you are being asked to prioritize, track metrics over time, or to identify the three applications with the highest risk, then detailed analysis may be the better approach.

Consider the effort

High-level risk analysis can be very efficient. Instead of measuring the trees in the forest, we describe the overall population. Obviously we sacrifice being precise, but can often still model the risk accurately. Detailed risk analysis may require greater work to complete as well as maintaining it over time. While the data and analytics you may be able to identify and track are interesting, make sure you have the resources to ensure that the work is sustainable over time.

RiskLens can help you perform both

FAIR is our risk model. Our platform is engineered to allow you the flexibility to choose either approach to do your risk analysis.

One final suggestion

As a practitioner, I always strive for delivering valuable results in an efficient manner. With this in mind, I would recommend starting by analyzing risk at a high-level. Let the stakeholders and their feedback determine whether the added precision of detailed analysis is required, and to what extent.