The Ransomware Task Force organized by the Institute for Security and Technology brought together 60 business and government experts to propose a framework to “disrupt the ransomware business model.” Many of the 48 recommendations in their just-released report line up with the spirit of FAIR™ (Factor Analysis of Information Risk), the risk quantification standard, and the RiskLens platform for understanding cyber risk in financial terms.
Read the report Combating Ransomware: A Comprehensive Framework for Action from the Institute for Security and Technology.
“Organizational leaders traditionally see security as niche and highly technical,” the task force found. “They need to understand ransomware as a whole-organization event, in non-technical, business risk-relevant terms.”
The task force proposes a framework modeled on the NIST CSF that lists best practices and controls specific to ransomware defense. “The framework should clearly identify each recommended action’s impact, as well as the required investment of time and other resources” (The NIST CSF includes FAIR as a means for estimating impact of cyber risk.) The task force also suggested this new framework be created in versions for government and various industries.
A new ransomware framework should also offer a way to “enable organizations to identify the costs associated with not paying compared to the costs of paying the ransom.” The report makes a strong case for a careful, quantitative analysis, as many of the costs in a ransomware incident, such as breach notification, could occur in either scenario. “In many cases, the analysis could show that paying the ransom is not in fact the cheaper option.” The report then takes it a step further, suggesting a legal requirement that companies perform a cost-benefit analysis before paying a ransom.
The RiskLens Ransomware Solution
The RiskLens platform is already in routine use for just the sort of ransomware analysis the task force is advocating. The recently launched RiskLens Prioritization & Justification solution for health insurance companies includes:
- Guided workflow that walks the user through a careful process of data collection to capture all the financial impacts of ransomware. Platform comes pre-loaded with ransomware data specific to healthcare payers,
- Reporting in terms that business decision makers can understand – analysis results show risk as loss exposure in dollar terms. Comparative analysis shows the relative cost vs. benefit of mitigation alternatives, or the cost of paying vs. not paying ransom.
Contact us for a demo of the RiskLens platform’s capabilities for ransomware risk analysis.