Cyber Risk Quantification: “Getting it Right”

January 23, 2019  Steven Tabacek

As discussed in my last blog, cybersecurity risk quantification has progressed from trend toward mainstream risk management. Boards and senior executives have begun to task Chief Risk Officers, Chief Operational Risk executives, CIO’s, and CISO’s to communicate cyber security risk in business terms, i.e. dollars and cents. Due to the potentially high dollar amounts associated with cyber risk, the stakes are high. Risk executives and analysts have to “get-it-right” to maintain credibility. 

It’s a technical and business problem that has proven to be incredibly difficult to solve. A simple request by a board director or C-level executive such as, “Can you tell me what the business impact is for each of your top 10 cyber risk issues?”, is potentially extremely difficult to answer. Depending on how the top 10 risk issues are defined, each may include dozens of business assets, processes, threat actors, control conditions, and impact variables. So, what’s the answer?

Major consulting firms and technology-centric software providers have been quick to include the word “risk” or “quantification” into their product names or marketing material, but how accurate and meaningful are the results? I challenge anyone in the marketplace to show me a major technology, audit, or advisory consulting firm that employs an industry accepted business-centric, dollars-and-cents solution to cyber risk analysis. I’m not suggesting that these firms are part of the problem, but instead am advocating that they are only a part of the solution. In the highly acclaimed book,  Measuring and Managing Information Risk, the author Jack Jones describes how a controls ontology fits into the overall risk equation, specifically covering the work consulting companies do so well, such as measuring controls.

Information security software providers are not off-the-hook either when it comes to “getting-it-right.” They too have heard the siren-call of “risk quantification” and have derived creative mathematics for ordinal scoring systems and labeling the results as a measure of "risk". These firms are not part of the problem either, but instead, are another valuable part of the solution. The intellectual capital applied toward understanding threat and vulnerability intelligence such as threat event frequency, threat capability and resistive or control strength is nothing short of amazing. Metadata generated by these technology-centric software vendors can fit very well into the risk equation.

So what is the answer to “getting-it-right?”  Factor Analysis of Information Risk (FAIR), an established  standard for measuring, analyzing, and communicating cybersecurity risk is the answer for many industry-leading organizations. An increasing number of FAIR users say that the "get-it-right" answer is for risk executives, analysts, consulting firms, and technology-centric software vendors to align around a standard definition of risk such as FAIR, so that all stakeholders can speak a language that everybody understands, dollars and cents.

At a corporate level, board directors and C-level executives have a fiduciary responsibility to understand the business impact to cybersecurity risk. FAIR can provide the necessary foundation for risk officers and cybersecurity professionals to learn how to articulate cybersecurity risk in business terms.

Imagine being prepared for a well-informed business discussion the next time a board member, a regulator or a business executive asks, “What are our top 10 risks, prioritized according to business impact?” You don’t have to imagine anymore. RiskLens' cyber risk quantification platform can help you apply the FAIR principles in a consistent way and complete quantifiable risk analyses with confidence.