Nick Sanna, CEO of RiskLens and President of the FAIR Institute, recently spoke at a webinar hosted by Ostendio, the IRM solution provider, and with some expert questioning by Ostendio CEO Grant Elliott gave a short seminar that answers many of the basic questions about cyber risk quantification. Here are excerpts from the Q&A.
Watch the complete webcast: Understanding the Science of Risk Management
Q: From your perspective, what is risk management?
A: In the cyber world, it’s the activities that companies implement to reduce the impact of cyber threats.
Q: You used the word 'impact'. Can you expand on that?
A: This is important because risk has been treated more as an art that was subject to personal judgement, where people use their gut to incorporate into decision making. Somehow in cyber risk we were just used to winging it or portraying that cyber risk is so complex and dynamic that it is impossible to properly assess risk.
Fortunately, in the last decade, models have emerged that treat risk more as a science where part of the equation in assessing risk is the notion of frequency and impact. A risk can be defined as the probable frequency and probable magnitude or impact of a loss event.
A: Talk us through the specific components of FAIR™. This is really looking at risk more in a scientific notion.
A loss particularly in cyber can be defined as the probability of a threat hitting an asset of value that might be surrounded by controls and then resulting in a material impact to the business. It’s only when you have a probable loss event that you have risk. Once you define those loss events, you can start measuring.
We have a schematic drawing showing how the FAIR standard helps you decompose risk. The beauty of FAIR is that, depending on the availability of data, you can work at a higher or lower level of abstraction – either use historical data or make simulations based on estimates of subject-matter experts or data that may exist in the industry.
Q: How does RiskLens leverage FAIR?
A: We are helping organizations scale the application of the FAIR standard to quantify and manage risk. FAIR alone is not enough; it is a conceptual model. How do you start pairing up your analysis with a risk register? How do you reuse data at scale, so you don’t have to collect the data every single time? How do you produce an automatically generated report? All that requires technology support and that’s what we provide at RiskLens.
Q: How do you go about collecting sufficient data to make effective decisions?
A: There is a myth in the industry that you need a lot of data to complete a risk analysis. What we have found is that most companies have more data than they think, and less data is required for risk analysis. The goal of risk management is not to give you always super-precise data. Most of the decisions hinge on reducing the level of uncertainty.
Smaller companies, working off industry benchmarks and enriching with a few data points--maybe how many records the database holds or cost of downtime – can go a long way to completing an analysis very quickly. We at RiskLens will start making that data available early next year. So, if you don’t have the resources to build a big risk management program or don’t have a deep knowledge of FAIR but want to assess the impact at a high level for specific risk scenarios, you are going to be able to do that. Then you can grow in depth as the company grows.
Learn about RiskLens Pro - A Managed Service for Faster, Easier FAIR Cyber Risk Quantification