Many RiskLens clients take their first step into cyber risk quantification with a Top Risks Workshop, using the Triage function in the RiskLens Platform to quickly identify a short list of high-risk scenarios for deeper quantified analysis. Here’s the Top Risks experience for one major tech company.
Technology companies are constantly competing to bring the most innovative products to market. With each technological advancement comes additional risk exposure that the organizations must be able to effectively identify, measure, and prioritize. But risk management often takes a backseat to product development, seen as an offramp in the way of speed to market.
The risk management team at a major tech company was looking for a way to break through that mindset and win a seat at the decision-making table. One point on their side: The company was subject to reporting to the SEC, following the agency’s 2018 guidelines on disclosure of cyber risk in financial terms.
However, the qualitative heat maps the team used to guesstimate risk didn’t give them the ability to:
- Identify, measure, and prioritize the risks that are most important to business operations
- Evaluate the top risk scenarios including insight into highest-risk assets and threat communities
- Effectively communicate the posture of the cyber risk program to executive management in order to adhere to the “timely collection and evaluation of information potentially subject to required disclosure” as required by SEC guidance
The team turned to the RiskLens Platform that operationalizes quantitative cyber risk analysis with the Factor Analysis of Information Risk (FAIR™) model to help address the above requirements in a more meaningful way.
1. Identify, measure, and prioritize the risks that are most important to business operations
In order to effectively quantify risk, FAIR requires consistently defining scenarios based on assets at risk, threats and loss effects. The organization leveraged this approach by identifying the most critical assets, the most likely threat actors, and the most probable and/or impactful ways in which the loss would materialize.
Once the most probable and impactful scenarios were identified, the list was quickly prioritized using the Triage function in the RiskLens platform. This exercise was completed over the course of a two-day Top Risk Identification Workshop led by experienced consultants from the RiskLens Professional Services team.
Once triaged, the top 10 scenarios were fully quantified in the RiskLens Cyber Risk Quantification (CRQ) platform.
Figure 1 displays the combined aggregate annualized loss exposure across all 10 scenarios:
2. Evaluation of top risk scenarios including insight into highest-risk assets and threats
The team was then able to drill down into the top risks aggregate annualized exposure and view the highest-risk threat communities and assets.
Figure 2: Aggregate Loss Exposure by Threat Community
Figure 3: Aggregate Loss Exposure by Asset
In addition to gaining an understanding of the total annualized loss exposure related to the 10 scenarios, the organization was also able to identify which of the 10 posed the highest risk individually.Figure 4: Top Analysis Scenarios by Loss Exposure (90 th Percentile)
3. Effective communication of the posture of the cyber risk program to executive management
With the help of the RiskLens platform powered by the FAIR model, the organization was able to report on the top risks to executive management and the board in they language they best understand – dollars and cents. Not only was it possible to grasp the aggregate loss exposure posed in total by the ten scenarios, but using the RiskLens reporting capability, the team was also able to look closer into each of the scenarios to evaluate the frequency and magnitude of the event, as well as the drivers for the loss.
Figure 5: Breach of Crown Jewel Database – External Per Event Results
Figure 6: Breach of Crown Jewel Database – External Aggregate Loss Exposure by Form of Loss
Results and Key Benefits
With the Top Risk analysis in hand and experience with FAIR quantitative cyber risk analysis, the risk team had found their credibility builder, demonstrating it could communicate the impact of cyber risk in the financial terms that the board, senior management ,and regulators could understand. With a clear view of Top Risks, the organization could then leverage further FAIR analyses to support decision-making on
- Evaluation of control adequacy
- Prioritization of mitigation efforts
- Determination of cyber insurance needs
- Justification of additional security investments and controls -- particularly covering new products the organization plans to roll out, going forward.