Evaluating Third Party Solutions with FAIR Quantitative Cyber Risk Analysis

By Christina Dulovich | July 24, 2019


Have you ever been in the tough position of evaluating the costs or benefits of a third-party service or control? Asked to make a recommendation for using that service or not? Or maybe even asked to compare various third-party services to one another for decision makers?

Answering any of these questions is no simple task. You may be using a few metrics to evaluate any vendor such as: reputation testimonials, contracted responsibilities or resources the vendor provides. These metrics are vague and near impossible to quantify or compare effectively. Clear visibility into a vendor’s value proposition is not always readily available.

With the RiskLens platform based on the FAIR model for cyber risk quantification, you are not limited to only analyzing your internally hosted solutions. RiskLens is scalable across your entire environment.

Christina Dulovich is a RiskLens Risk Consultant

For example: You are asked to not only determine the costs/benefits of using a particular third-party vendor control, but you are asked to compare several vendors--creating a comparison  to communicate to decision makers on which vendor may be the best fit.

Let’s use the potential of a cyber criminal breaching a database with sensitive customer data, and in the current state environment, this database is internally hosted with controls in place to prevent a breach. The decision to switch to one of the third-party hosted solutions with seemingly more advanced controls needs to be considered.

With RiskLens, you can create an analysis reflecting the current state environment of controls around the internally hosted database – as well as creating comparable future state analyses that reflect what the database environment would look like with the third-party vendor.

You will be able to see both the current state loss exposure as well as the future state loss exposure with the third-party control improvements taken into consideration. This allows you to determine the reduction in annualized loss exposure, which can then be used to create a cost-benefit analysis for the third-party control investment.

Here's a generic look at the output from a RiskLens analysis comparing the current state on the left and various controls reducing loss exposure:








For a deeper look at comparing controls solutions by analyzing risk scenarios with the FAIR model and the RiskLens platform, see these case studies:

Case Study: Risk Team Finds the Best Data Protection Solution Based on ROI

Case Study Webinar: RiskLens Settles a Decision on Controls

Use of the FAIR ontology coupled with the RiskLens platform for quantified risk analysis drives:

  • Efficiency through a repeatable process that guides you step by step from creation to completion of any desired analysis.
  • Consistency through the ontology itself, ensuring that you have a clearly defined scope and all factors needed to create a meaningful and defensible risk analysis.

For example, if you were wondering what your risk exposure is for a cyber-criminal attack on your company’s internal database containing sensitive customer data. FAIR and RiskLens will walk you through the four steps to complete a meaningful and defensible quantified risk analysis:

  1. Scope the scenario
  2. Gather the data
  3. Run the analysis, Q/A the Results, Refine the Estimations
  4. Report the Results

For more detail, see  The Risk Analysis Process at RiskLens.