This case study is one of my favorites stories to respond to the misperceptions I sometimes hear around the value of cyber risk quantification and the effort it takes to do quantitative cyber risk analytics.
It involves a CISO we know who was faced with an audit finding that would have required millions of dollars and months of business disruption to remediate. With FAIR analysis, the method that powers the RiskLens application, the CISO came up with a solution that cost far less and produced far better results.
Jay Soni is Team Lead-Sales Central US/Canada for RiskLens
Explicit risk analysis is better than implicit risk analysis. Explicit, as in using a well-defined model and some analytic rigor to show ranges of probable loss in dollars. Implicit, as in making assumptions regarding how and to what degree controls reduce risk.I like this story because it makes four key points about quantitative cyber risk analysis:
- Ability to present options by comparing the probable reduction of loss exposure in different scenarios, which enables well-informed business decisions.
- The benefit of doing what-if analyses, and saving time, painful surprises and avoiding wasted resources down the road.
- The defensibility of quantitative analysis, a transparent process with reporting results in dollars, the language that everyone in the business understands. As you'll see in the case study, even the auditor signed off on the results.
Here’s the story, as told in Measuring and Managing Information Risk by Jack Jones and Jack Freund, the book that introduced the FAIR model for cyber risk analysis.
“The CISO was faced with a PCI audit that had identified the absence of data-at-rest encryption on his organization’s primary business databases. These systems contained massive volumes of credit card and other sensitive information.
“Unfortunately, when brought in to pitch their solutions, the encryption vendors all admitted that (1) their products hadn’t been applied to databases of that size/architecture before and they could not guarantee that there wouldn’t be problems, and (2) any implementation was going to require significant changes to the business applications.
“The cost implications ran into the millions of dollars, with an implementation timeline of at least 18 months and an expectation of some amount of business disruption during the process.
The FAIR Analysis
“The CISO used FAIR to evaluate and compare the current state of loss exposure, the loss exposure reduction expected to result from data-at-rest encryption, and the loss exposure reduction expected from an alternative set of controls.
“These alternative controls included, but were not limited to:
- Internal network segmentation
- Hard token authentication controls for system, application, database, and network personnel
- Improved logging and detection controls, and
- Improved processes for ensuring that hard drives would be wiped before leaving controlled areas
Cyber Risk Quantification Analysis Results
“At the end of the analyses, the CISO was able to show that the alternative controls provided better risk reduction than encrypting data-at-rest.
“Better yet, these alternative controls required no changes to applications, no business disruption, a much faster time to implement, and costs under $500,000.
“When presented with these analyses, the PCI QSA had no problem signing off on the solution.”
It's worthwhile to note that this analysis took approximately three days to perform. Not a bad investment of time for a far less expensive and more effective solution.