As a RiskLens Risk Consultant, it’s my privilege to help clients build a quantitative cyber risk management program (QRMP). Along the way, there are plenty of “aha!” moments, as clients gain experience in designing, implementing and socializing their risk management programs based on the discipline of financial analysis of cyber risk with the FAIR™ model. I took five of those breakthrough moments and turned them into some tips you can resolve to follow to get a head start on your QRMP.
1 . Triage First. Detailed Quantification Is Not Always the Answer
At the beginning of the RiskLens journey, people often believe that a full, detailed analysis is required for every risk scenario they quantify. The reality is not all security concerns need the same depth of risk analysis, nor can risk analysts afford to dive deep into everything that comes across their desk. To determine whether an issue requires deep-dive analysis, risk analysts need a solution that enables them to rapidly assess risk and determine if the risk is material to the organization. That solution is triage.
A simple triage analysis - averaging less than 15 minutes and still backed by the power of FAIR and quantification - can often be enough to separate scenarios that require immediate attention from those that don’t.
2. Tell More Stories. The Narrative Is Equally as Important as the Numbers
After fumbling in the world of red, yellow, green and high, medium, low, it can be easy to get caught up in the numbers when presenting the results of a quantitative risk analysis. While the numbers are important (hello, ROI), the narrative- the context - is equally as important. The art of storytelling is a risk analyst’s best friend – by walking the audience through the steps of the analysis and sharing with them your “aha!” moments throughout, it helps them to arrive to same conclusion you did. The purpose of quantitative risk analysis is to arm decision makers with the information to make informed, risk-based decisions – in order to do so they need all of the information, not just the loss exposure numbers you’ll generate on the RiskLens platform.
3. Do the Work. Sparing Seemingly Non-Existent Time on an Analysis Is Worth the Effort
Let’s be real – sometimes quantitative risk analysis might seem daunting and assigning a color or simple rating to risk seems more efficient. What you gain in efficiency, though, you lose in utility. Is that color rating really helping you to make big decisions required by the organization or to help you prioritize your risks? Do you find your risk management team having robust, and defensible conversations when trying to determine if a risk is red or red-orange?
We’ve all been several weeks, months, or years into a soul-sucking project only to learn that it really isn’t something that is going to benefit the organization after all.
By running a quantitative risk analysis (which can take less than 15 minutes using triage), you can quickly prioritize the competing initiatives on your desk and determine which ones require your attention and which can be back-burnered for the moment. You may even learn that the project you’ve been gearing up to start may not be as beneficial as originally thought – before the all-nighters begin.
4. Ask Better Questions. Subject Matter Experts Can Only Answer What Your Ask
One of the key benefits of FAIR is having a common language to avoid miscommunication and unintended assumptions. Like any good model, however, it only works if you work it. One pitfall we have seen customers make (and have even made ourselves from time to time) is taking that common language for granted and not being intentional enough in our language. When conducting data gathering sessions, it is important to ask context-specific questions that include all elements of the scope in order to be certain you are getting an estimate that is accurate and meaningful to the analysis.
In addition to being context aware, it is also important to remember to make your unit of measurement clear. This may seem silly (and with the curse of knowledge, it likely is to you), but the SMEs you are working with may not be aware that frequency is based on the timeframe of one year (i.e. the number of loss events expected in a given year), and magnitude is based on the loss associated with each individual loss event. Always be sure to ask clarifying questions to be certain that you are correctly understanding the information you have been given and that the range provided is logical, accurate, and made with the best available information.
5. Set the Right Goals: Reducing Uncertainty, Not Achieving Exact Precision
There is a common misconception that in order to measure something in a meaningful way you require exact precision. However, the definition of measurement is actually “to reduce uncertainty”, which also happens to be the goal of quantitative risk analysis. As it turns out, the less you know about a subject, the less information it takes to dramatically reduce your uncertainty. Basically, a little information can provide a lot of insight.
Further, while in a perfect world you would have reams and reams of data at the ready for every foreseeable data point, we do not live in that world. Even if we did, the most expert knowledge of the past will never tell us the exact truth of the future. Instead, we need to make reasonable estimates (we use calibration) about the future based on the best information available at the time of the analysis – which sometimes may be in abundance and other times may be much less than we would prefer. The latter cases give us valuable insight into where we lack visibility in the organization and where we may be able to increase precision in the future.