Evolve Your Organization to Cyber Risk Economics: A Mini-Guide

December 9, 2019  Jeff B. Copeland

You’ve learned about the FAIR model and its highly practical and productive way of analyzing risk and now you can never look at a risk heat map without seeing all the guesswork that went into it.

You’d like to bring risk quantification (and a more business-driven approach to risk in general) to your organization.

But you recognize that will take a lot of evangelizing and educating first.

Patience. You’re just going to have to meet your organization where it is now – heat maps and all – and lift it up.  We put together this mini-guide of blog posts with tips on how to introduce risk quantification as a step forward from your co-workers’ familiar practices.

An Executives Guide to Cyber Risk Economics

In a comprehensive white paper, FAIR model creator Jack Jones lays out the case for risk quantification in terms that senior management and board members can understand. He demolishes the compliance-focused, checklist-driven approach that’s the norm in industry today, explains FAIR and quantification on a high level and shows how it empowers prioritization and cost-benefit analysis for effective decision making.

Jack also suggests a roadmap for success to introduce quantification to your organization, build support and make some quick wins. If you don’t read anything else in this guide, read this.

Four Steps to a Smarter Heat Map

This square, red, yellow and green chart, with risks plotted from Low to High is literally a picture of imprecise, qualitative thinking about risk. But it’s probably what your organization knows well.

Don’t fight it, join it. In this post, RiskLens Risk Consultant Cody Whelan explains how to run quantitative analyses then “translate” them back into new and improved heat maps.

Adding Dollars and Cents to Your NIST CSF Reporting

Your company may already use the National Institute of Standards and Technology’s Cybersecurity Framework; more than one-third of big companies have adopted it in part or whole (according to a survey last year) for its clear and authoritative organization of risk management best practices into a scoring system.

But scoring on a scale of 1-5 does not help companies cost-effectively manage cybersecurity risk. Luckily, as RiskLens CEO Nick Sanna points out in this blog post, NIST CSF can be used in conjunction with the FAIR model to quantify risk, pointing companies toward a cost-effective approach to the cybersecurity requirements in the CSF—and making a good case internally for risk quantification.

You Have More Data than You Think

Don’t lose your nerve here. As Cody Whelan writes, many analysts mistakenly think quantifying risk can’t be done without an “endless stream of highly complex data that can only be crunched and made recognizable by overpriced and unnecessarily complicated algorithms.”

In fact, you have more data than you think and less than you need—if you know where to look and how to make “calibrated” estimates.

Cyber Risk Quantification: Ditch the Spreadsheet and Take a Seat At the Business Table

Look, we’re biased—we want you to run the RiskLens application to do your risk quantification because it’s purpose-built on the FAIR model, walks you through a real-world-tested workflow, runs on advanced quantitative risk analytics, and leverages built-in industry-specific loss data.

However, we recognize that some clients, even FAIR enthusiasts, want to try do-it-yourself with spreadsheets before moving on to the RiskLens application.  Just read these cautions from RiskLens Account Executive Chelsea Brunson first.   

What Is FAIR Training?

If you aspire to truly be a thought leader/teacher/evangelist of risk quantification in your organization, take a formal training course in the FAIR methodology and the economics of risk. You’ll learn and practice under expert supervision the core measurement concepts and best practices in analysis, and can go on to take the exam to earn your FAIR certification. RiskLens Risk Consultant Tim Wynkoop has the details.