RiskLens is great because it allows you to do cyber risk quantification in dollars-and-cents terms.To make things better, the work flow is easy:
- Scope the risk scenario
- Identify the asset(s) at risk, threat community, threat effect(s) and loss
- Answer the questions generated by the RiskLens application
- Click the “Run Analysis” button
The RiskLens computational engine uses Monte Carlo simulation to calculate the annualized loss exposure (ALE), in financial terms, of the modeled risk scenarios. And, voilà - you have reports like the one below, that CEOs and boards are used to seeing in other risk domains:
Really, it’s a beautiful report – in terms of the mathematics – and the important numbers are listed for you. But you might not have a math degree and it’s been awhile since your last statistics course…so what are all the numbers that are listed in the chart again?
Monte Carlo Simulation Numbers Explained
Let’s set the stage for the report above: RiskLens ran 10,000 simulations of a risk scenario.
The minimum is the one simulation which resulted with the lowest ALE - $31.3M(illion).
The maximum is just the opposite of the minimum, it is the one simulation which resulted with the highest ALE - $1.3B(illion).
The average is summing up the 10,000 ALE’s, and dividing it by 10,000 giving us $228.5M.
Here's where we get to the fun stats numbers!
The 10th percentile is the ALE where 10% of the simulations run are less than or equal to that value. In our example above, that is $112.9M. Out of the 10,000 simulations run, 1,000 of the ALE values were less than $112.9M. Why 1,000? Well…. 1,000/10,000 = 0.1 or 10%.
The 90th percentile is just the one ALE where 90% of the simulations run are less than or equal to that value. In our example above that is $405.3M. Another way to think about this is 10% of the simulations run are greater than or equal to $405.3M – which means out of the 10,000 simulations run, the 1,000 ALEs that are reported to be larger than $405.3M (on the right side of the 90th percentile line on the chart).
How to Use the Risk Simulation Chart
Great - now we understand technically what the numbers are but how can decision-makers use the report?
Say your company has defined a risk appetite (RA) - which is $130.0M. You can compare your RA to where it falls on the bell curve. For instance:
- Compare RA to the average. The average number can sometimes be helpful but it doesn’t always give us the full story. Let's pretend that we had many more simulations which resulted in a higher ALE (closer to $1.0B). That would mean the average would be much higher than $228.5M. Now back to the report presented above, our RA is $98.5K smaller than the average.
- See how RA falls between the 10th and the 90th percentiles (where 80% of the simulations fell). The RA falls closer to the 10th percentile in this case. A more risk tolerant company may be comfortable with that. But if a company is more risk adverse, it may choose to manage against the 80th to 90th percentiles - meaning that the RA would need to be much higher for the example above - between $380.0M and $405.3M.
Either way, you gave executives some solid numbers to make a decision (and possibly gave yourself justification to ask for more budget to reduce risk).