Gartner, the leading technology research firm, recently published this finding on organizations that have adopted cyber risk quantification (CRQ): “Only 36% have achieved action-based results, including reducing risk, saving money or actual decision influence.”
As the leader in implementing Factor Analysis of Information Risk (FAIR™), the recognized standard for cyber risk quantification, our reaction at RiskLens was, “Wait, what? We’ve been helping clients achieve action-based results with CRQ for 10-plus years.”
Our second reaction was, “How do you define cyber risk quantification?”
As FAIR creator Jack Jones writes in his Buyer’s Guide to Cyber Risk Quantification (FAIR Institute membership required to view – sign up here), the marketplace is crowded with vendors claiming to quantify cyber risk by scoring organizations for presence/absence of controls, “maturity” compared to security frameworks, vulnerability scans or other technical ratings that generate numbers but don’t quantify risk in terms of money. In other words, they don’t directly support business decision-making.
FAIR gives organizations a methodology to quantify the probable likelihood and probable costs of cyber attacks or other loss events, so risk can be expressed in a range of annualized results (such as “a most likely value of $1 million”) easily communicated to business leaders.
3 ways that FAIR analysis, implemented through the RiskLens platform, helps CISOs or cyber risk managers achieve actual decision influence.
1. Identify and Prioritize Top Risks
The starting point for many RiskLens clients is a fast look at an organization’s top risks based on probable loss exposure in monetary terms. To speed the process, the RiskLens enterprise analysis platform shortcuts data gathering with extensive libraries of industry-specific data built-in. Many business decisions flow just from prioritizing risks.
2. Aggregate Risks by Loss Exposure
Unique in the marketplace, the RiskLens platform can aggregate multiple risk scenarios into overall assessments of risk by business unit, revenue stream, attack vectors or any other useful viewpoints (we call them “portfolios”) for decision-makers, including the enterprise level.
One tangible benefit of these assessments for decision-making is gaining clarity on How to Set a Risk Appetite with RiskLens
Another key benefit: FAIR quantification puts cybersecurity on an equal footing dollar-wise with other aspects of enterprise risk management that leadership faces. Check out this example: Case Study: Quantitative Risk Assessment for Earthquakes, Strikes and More Operational Risk
3. Run Cost/Benefit Analysis
There’s no more direct decision support tool than the RiskLens platform’s capability to run cost/benefit or ROI analysis. With a quantified understanding of the baseline risk for a scenario in hand, you can re-set the scenario for alternate outcomes – say, purging data from a database or retaining data and adding data loss prevention controls – see the changes in loss exposure, then compare to the cost of the controls or other action steps.
Bringing it together…RiskLens supports decisions on key strategic issues.