Harvard Business Review surveyed readers in senior executive and board positions for their views on cyber risk management -- and the title of the report, “The Necessity of Cyber Risk Quantification,” says it all. Read the report.
Survey respondents identified cyber risk as the top risk their organizations face (even ahead of pandemic), but only half said they are “successful or very successful at generating insights and enabling informed decisions on cyber risk.”
“One reason for the low level of confidence,” HBR writes, “is that the board and leadership at most companies continue to rely heavily on non-quantitative information…instead of more sophisticated tools for quantifying risk, like open-source Factor Analysis of Information Risk (FAIR™).”
The report (sponsored by PwC) recognizes RiskLens for our “purpose-built platform, services and set of solutions to adopt and scale FAIR in large enterprises” and quotes Damon Becknel, chief information security officer (CISO) at Horizon Blue Cross Blue Shield of New Jersey, saying “I’m a big fan” of FAIR but that the methodology alone is “not easy to do at the enterprise level.” Becknel said that RiskLens “appears to address the need for cyber risk quantification” but added that his organization had not yet run a proof of concept.
FAIR adoption is still at a low level, HBR found, with many organizations still thinking of “quantification” as risk matrices with frequency and impact scales and scores assigned to them. FAIR analysis with the RiskLens platform quantifies risk in financial terms to directly support business decision-making.
However, a look at this chart of survey findings shows that the way is wide open for wider acceptance of a tool for more meaningful quantification. Asked for their organization’s “most important reasons for quantifying risk,” the survey respondents answered with a list of capabilities that lines up perfectly with the capabilities of the RiskLens platform.
“These findings suggest that respondents are discovering more ways to use cyber risk quantification to create a stronger risk culture while refining their ability to compare cyber and other risks accurately,” HBR concluded.
Read the Harvard Business Review report The Necessity of Cyber Risk Quantification.