In an extensive article just published on ‘Treasury & Risk’, No More Red, Yellow, and Green: How to quantify cybersecurity benefits and manage cyber risks like other operational risks, RiskLens CEO Nick Sanna writes that treasury, corporate finance and operational and financial risk managers are under increasing pressure to answer to boards and regulators about cybersecurity risk posture but run up against “The Great Cybersecurity Exception…
“According to conventional wisdom in IT security circles, cyber risks cannot be assigned the same type of dollars-and-cents valuation as other risks because cyber risks are too technical and too dynamic, and historical data is too hard to find. Instead, cybersecurity professionals are often satisfied with ranking cyber risks red, yellow, or green.”
“That’s simply not good enough anymore. Cyber risk management is undergoing the same evolution that market risk, credit risk, and other forms of operational risk have undergone.”
Factor Analysis of Information Risk, the FAIR model that powers the RiskLens application, is the way to take that evolutionary next step, Nick argues.
“When paired with standard mathematical simulations, such as Monte Carlo, the FAIR approach becomes a cyber value-at-risk (VaR) model that mirrors the loss distribution approach (LDA) commonly used in the banking industry to meet capital requirements under Basel II. Similar to LDA, the FAIR model generates an annual loss distribution based on the projected frequency and magnitude of cyber events. The output of the model is an expression of cyber risk in financial terms.” As a case in point, Nick gives a guided tour through a FAIR analysis of risk to “crown jewel” customer information (PII) in a database.
The Treasury & Risk article comes at a time of rising interest among finance managers in quantified cyber risk analysis and the FAIR approach. We’ve been covering this movement in the RiskLens blog – here’s a sample of related posts: