That is the question we get asked fairly often by clients: When to aggregate the results of multiple FAIR risk quantification analyses (each showing one scenario) for an overall view of cyber risk? Aggregating can show the big picture but also distort the view. I am going to outline a few examples of when and when not to use aggregation.
When to use risk analysis aggregation:
The most common form of aggregation is determining your organization’s Top Risks. Being able to get a side-by-side picture of what kind of exposure your organization has to these top risk scenarios will give you the tools you need to make a better-informed decision. Since these risks are usually highly visible within your organization, this type of aggregation shows what your overall exposure is for these scenarios and allows you to make some quick comparisons on how best to reduce loss exposure
Another use of aggregation is for understanding what your exposure looks like for one particular scenario with multiple vectors, for example, all resulting in the outage of a manufacturing plant. There are many scenarios that could cause an outage, such as bad weather or a misconfiguration, each of which would have varying degrees of severity. Aggregating them together will allow you to get a much better picture of how much exposure this "theme" truly has.
Additionally, a third example related to the second, might play into your risk acceptance process. Depending on how you are breaking down your scenarios within your organization (for example, by business unit), being able to aggregate the view of how much risk a particular business unit is taking on can help inform management about where they stand vs. the organization's risk appetite.
Tim Wynkoop is a Risk Consultant for RiskLens
When NOT to aggregate your cyber risk analyses
The biggest misuse of aggregation comes in trying to correlate completely unrelated events. As an example; a breach of application X and an outage of application Y when they don't have any commonalities between them. When you get your final result it's very difficult to communicate what the loss exposure truly represents as there is no commonality between the analyses.
A similar wrong turn would be trying to aggregate everything within your risk register. This takes away the “ useful amount of precision” that's one of the goals of FAIR analysis. The more things you try to aggregate, the less visibility you have into what is driving the risk exposure in the first place.
In conclusion, when you are looking to aggregate, you will need to keep the end in mind: “What is the purpose of this analysis or analyses?” or "What story are you trying to tell?" Keeping that mindset will help you answer the question on whether or not to aggregate.
To take a cue from Brandon Sanderson: “The purpose of the storyteller is not to tell you how to think, but to give you questions to think upon." Help your stakeholders ask the questions to move your organization forward.