You can follow four easy steps to understand how much analysis work is in play.
Step 1: Know what goes into an analysis
It’s critical to understand what belongs in a risk analysis and what does not. In the Factor Analysis of Information Risk (FAIR) frame of mind, risk analyses include one or more loss events.
A loss event is comprised of the following factors:
An asset under analysis;
A threat acting to cause harm to that asset;
The resulting impact.
For example, the scope of a risk analysis for a PCI environment might include multiple loss events, as displayed below.
In a RiskLens analysis, you would also be prompted to select a ‘loss table’ that would provide the input for the impact side of the risk equation.
Step 2: Calculate how long it would take to complete the analysis
Following this approach, we can breakdown any analysis into the number of scenarios involved. In our experience, it takes a single analyst between 4 and 10 hours to complete an analysis, per loss event. Seasoned risk analysts are faster: 2 to 6 hours per loss event.
With this data at hand, we can do some simple calculations to figure out how much time we need for our analyses. For our sample PCI analysis, we have a combination of three assets and two threats resulting in six loss events. The following table estimates how much time we need for this analysis, assuming it is conducted by lesser experienced analysts:
These figures go down significantly for experienced risk analysts, as illustrated in the table below.
Armed with this data, you can set proper expectations for the completion of your risk analyses.
Step 3: Determine your total workload
From here, we can rework our table to describe our book of work for the year. I recommend bucketing analyses based on some reasonable criteria. You could start by listing the various type of risk reporting requirements that you may have in your organization. Example:
Weekly – ad-hoc assessments over vulnerabilities or control exceptions
Monthly – project assessments
Quarterly – quarterly risk landscape updates
Annually – enterprise assessments; assessments over audit results
By decomposing the types of analyses into their parts, we can estimate the number of loss events. We can then aggregate estimates into a table like this one:
Step 4: Gauge if you have capacity to meet program objectives
Finally, you need to align your estimated workload with the capacity of your team. There are many approaches to capacity planning. The road I often take is simplistic and takes into account the following:
Current and future staffing
Percentage of time team members spend on analyses
Total estimated workload for the team (above)
Do you need help in setting up your cyber risk management program? Do you have urgent reporting requirements that would benefit from the use of expert resources?
RiskLens’ Customer Success team is happy to hear from you and to provide you with a complimentary needs assessment.