How to Use Cyber Risk Quantification for Business Decision Support – A Short Guide

May 11, 2023  Jeff B. Copeland

Meeting - Business Decision Support with Cyber Risk QuantificationGartner, the leading technology research firm, recently published this finding on organizations that have adopted cyber risk quantification (CRQ): “Only 36% have achieved action-based results, including reducing risk, saving money or actual decision influence.”

As the leader in implementing Factor Analysis of Information Risk (FAIR™), the recognized standard for cyber risk quantification, our reaction at RiskLens was, “Wait, what? We’ve been helping clients achieve action-based results with CRQ for 10-plus years.”

Our second reaction was, “How do you define cyber risk quantification?”

As FAIR creator Jack Jones writes in his Buyer’s Guide to Cyber Risk Quantification (FAIR Institute membership required to view – sign up here), the marketplace is crowded with vendors claiming to quantify cyber risk by scoring organizations for presence/absence of controls, “maturity” compared to security frameworks, vulnerability scans or other technical ratings that generate numbers but don’t quantify risk in terms of money. In other words, they don’t directly support business decision-making.

FAIR gives organizations a methodology to quantify the probable likelihood and probable costs of cyber attacks or other loss events, so risk can be expressed in a range of annualized results (such as “a most likely value of $1 million”) easily communicated to business leaders.

3 ways that FAIR analysis, implemented through the RiskLens platform, helps CISOs or cyber risk managers achieve actual decision influence.

1. Identify and Prioritize Top Risks

RiskLens Platform - Top RisksThe starting point for many RiskLens clients is a fast look at an organization’s top risks based on probable loss exposure in monetary terms. To speed the process, the RiskLens enterprise analysis platform shortcuts data gathering with extensive libraries of industry-specific data built-in. Many business decisions flow just from prioritizing risks.

Learn more:

5 Uses for a Top Cyber Risks Analysis

Tech Company Quickly Identifies Top Cyber Risks with Quantitative Analysis 

2. Aggregate Risks by Loss Exposure 

Unique in the marketplace, the RiskLens platform can aggregate multiple risk scenarios into overall assessments of risk by business unit, revenue stream, attack vectors or any other useful viewpoints (we call them “portfolios”) for decision-makers, including the enterprise level. 

Learn more:

Webinar: Fast, Flexible Risk Reporting with RiskLens Portfolio Management

One tangible benefit of these assessments for decision-making is gaining clarity on How to Set a Risk Appetite with RiskLens 

Another key benefit: FAIR quantification puts cybersecurity on an equal footing dollar-wise with other aspects of enterprise risk management that leadership faces. Check out this example: Case Study: Quantitative Risk Assessment for Earthquakes, Strikes and More Operational Risk

RiskLens Platform - Cost Benefit Analysis-1

 3. Run Cost/Benefit Analysis

There’s no more direct decision support tool than the RiskLens platform’s capability to run cost/benefit or ROI analysis. With a quantified understanding of the baseline risk for a scenario in hand, you can re-set the scenario for alternate outcomes – say, purging data from a database or retaining data and adding data loss prevention controls – see the changes in loss exposure, then compare to the cost of the controls or other action steps.

Learn more:

CISO Makes a Quick Pitch to Restore Security Project Budget Based on Cost Benefit Analysis

Finance Company Assesses Risk of Data Breach from Shared Storage 

Bringing it together…RiskLens supports decisions on key strategic issues.

Three Steps to Evaluate Security Risks of Cloud Migration

Quantitative Cyber Risk Management for an IPO: Perform Due Diligence, Build Resilience

Big Game Hunting or Double Extortion Ransomware: Analyzing Complex Risk Scenarios with RiskLens

RiskLens Executive Board Reporting Service