Recently, two clients challenged us to rethink the RiskLens cyber risk analysis process. RiskLens clients run risk scenario analyses in two modes on the platform:
- Rapid Risk Assessments – A fast way (typically 15-minutes per analysis) to prioritize a list of scenarios based on loss exposure to give the organization some clear direction on broad strategic or tactical decisions by identifying, for instance, the top risks faced by a business unit.
- Detailed Risk Analysis – An in-depth, but time-consuming look at a few selected scenarios to gain a granular understanding of the drivers of risk, for instance to support a high-cost decision on adding controls. (A Detailed Analysis may be followed by Risk Treatment Analysis on the platform to assess control options on a cost-benefit basis).
Both approaches apply FAIR™, the international standard for cyber risk quantification, and leverage the platform’s Data Helpers to store data for repeated use in answering risk analysis workshop questions.
Taylor Maze is a Senior Risk Consultant and Tyler Britton is a Risk Consultant for RiskLens
But detailed analysis typically requires more time, mostly in data gathering: scheduling meetings with subject matter experts from the security and business operations to lock down estimates for every input to analysis –for instance on controls effectiveness based on a thorough walk-through of the attack chain. It’s highly targeted to the scenario and ultimately highly defensible.
Here’s where our clients challenged us. With distributed teams and the pace of decision-making growing ever faster, they needed to conduct a lot of detailed analyses over a short period of time. “Why can’t we have the best of both rapid and detailed?” they asked.
Introducing Pattern-based Thinking to Cyber Risk Analytics
In effect, they were asking us to build a new, repeatable, scalable process for Detailed Analysis. So, we took a fresh look at our risk analysis processes through the lens of “pattern-based thinking”.
It occurred to us that we often analyze similar scenarios over and over. A phishing or web attack analysis would require similar discussions on controls or reputation damage. Instead of starting over from the drawing board with data collection and analytical work, we could try to capture those patterns in Data Helpers. The end result: We could do a lot more data selection and a lot less data collection.
This new approach includes two features captured in Data Helpers
- Scenario archetypes. A collection of pre-formatted risk scenarios that we built on common attack chain sequences translated into FAIR terms, to guide us to our loss event frequency data.
- Decision options. For guidance on loss magnitude data, something like a built-in decision tree that minimizes the involvement of business SMEs. Let’s say your organization has a policy of notifying but not providing credit monitoring to affected customers if you have a breach of encrypted PII data – you would select that option from pre-formatted choices.
Two Use Cases - Faster Detailed Risk Quantification Analysis in Action
Our two clients put the new capabilities of the RiskLens platform into action.
- The financial industry client had just the kernel of a FAIR program in place and needed to rapidly roll out risk-based practices across the Infosec organization. By building out their Data Helpers, they achieved their goal of repeatable processes, while driving down SME involvement. They now complete a Detailed analysis in less than one hour.
- The technology industry client sought to implement FAIR in nine product areas. With the new, faster approach, they quickly identified, triaged and analyzed top risks in each area, with the help of re-usable, product-specific data.
Both clients will expand and sharpen the focus of their Data Helpers over time as they do more analyses. It’s important to note that updating a Data Helper also updates all the other analyses it feeds, improving the entire workflow. The end result: a risk-based program that’s both efficient, adaptable and rigorous.
Find out how pattern-based thinking, cyber risk quantification and the RiskLens platform can power your risk management – contact us.