Read the report Combating Ransomware: A Comprehensive Framework for Action from the Institute for Security and Technology.
“Organizational leaders traditionally see security as niche and highly technical,” the task force found. “They need to understand ransomware as a whole-organization event, in non-technical, business risk-relevant terms.”
The task force proposes a framework modeled on the NIST CSF that lists best practices and controls specific to ransomware defense. “The framework should clearly identify each recommended action’s impact, as well as the required investment of time and other resources” (The NIST CSF includes FAIR as a means for estimating impact of cyber risk.) The task force also suggested this new framework be created in versions for government and various industries.
A new ransomware framework should also offer a way to “enable organizations to identify the costs associated with not paying compared to the costs of paying the ransom.” The report makes a strong case for a careful, quantitative analysis, as many of the costs in a ransomware incident, such as breach notification, could occur in either scenario. “In many cases, the analysis could show that paying the ransom is not in fact the cheaper option.” The report then takes it a step further, suggesting a legal requirement that companies perform a cost-benefit analysis before paying a ransom.
The RiskLens Ransomware Solution
The RiskLens platform is already in routine use for just the sort of ransomware analysis the task force is advocating. The recently launched RiskLens Prioritization & Justification solution for health insurance companies includes:
Contact us for a demo of the RiskLens platform’s capabilities for ransomware risk analysi