You can follow four easy steps to understand how much analysis work is in play.
Step 1: Know what goes into an analysis
It’s critical to understand what belongs in a risk analysis and what does not. In the Factor Analysis of Information Risk (FAIR) frame of mind, risk analyses include one or more loss events.
A loss event is comprised of the following factors:
- An asset under analysis;
- A threat acting to cause harm to that asset;
- The resulting impact.
Step 2: Calculate how long it would take to complete the analysis
Following this approach, we can breakdown any analysis into the number of scenarios involved. In our experience, it takes a single analyst between 4 and 10 hours to complete an analysis, per loss event. Seasoned risk analysts are faster: 2 to 6 hours per loss event.
With this data at hand, we can do some simple calculations to figure out how much time we need for our analyses. For our sample PCI analysis, we have a combination of three assets and two threats resulting in six loss events. The following table estimates how much time we need for this analysis, assuming it is conducted by lesser experienced analysts:
Step 3: Determine your total workload
- Weekly - ad-hoc assessments over vulnerabilities or control exceptions
- Monthly - project assessments
- Quarterly - quarterly risk landscape updates
- Annually - enterprise assessments; assessments over audit results
Step 4: Gauge if you have capacity to meet program objectives
- Current and future staffing
- Percentage of time team members spend on analyses
- Total estimated workload for the team (above)
Do you need help in setting up your cyber risk management program? Do you have urgent reporting requirements that would benefit from the use of expert resources?
RiskLens' Customer Success team is happy to hear from you and to provide you with a complimentary needs assessment.