Here at RiskLens, one of our passions is quantifying (in dollars and cents) things that some say cannot be quantified. This is the first in a series of posts exploring examples of quantified risks.
Elements of quantification
At the end of the day, what we rely on is a set of probability statements (the math) funneled through FAIR, Factor Analysis of Information Risk (the model). We leverage Monte Carlo -a lot. What we're doing at RiskLens doesn’t rock the world of actuarial scientists; they’ve been doing it for a very long time. Certainly, the same can be said for financial risk disciplines such as credit and liquidity.
Who is quantifying risk
Cybersecurity and operational risk disciplines, however, have not latched onto the realization that their risks can be quantified in similar terms as the disciplines mentioned above. Within the spectrum of the Fortune 500, we have dozens of customers bucking this outmoded way of thinking; all of them reaching the same conclusion: Cybersecurity and operational risks can be quantified. And beyond that, the executives and boards consuming the results are convinced it should be quantified. (Learn more about what people have to say about FAIR and cyber risk quantification at The FAIR Institute.)
Communicating ROI
With the gauntlet laid down, let’s peel back the curtain and see an example of how to accomplish this feat of probabilistic resolution.
Executive management of a Fortune 200 company asked Information Security to measure the ROI of a proposed anti-malware solution. InfoSec turned to Cyber Risk Quantification to measure ROI as a function of the reduction in risk with the anti-malware solution in place. Read the rest of the case study to find out if the $500K per year solution was worth the investment.