New Day for Cyber Risk: CRQ Emerges

January 18, 2019  Jeff B. Copeland

Maps → GPS.  Flip-phones → iPhones. Qualitative cyber risk assessment →  Quantitative cyber risk assessment.  See a pattern here? There come inflection points when we realize that tools we once had to work with were inadequate in ways we could never have imagined.

Cyber risk analysis has hit an inflection point. For some time, qualitative risk analysis, using colorful heat maps or 1-5 ordinal scales based on analyst opinion, have been the accepted communication tool for sorting and ranking cyber risks. They made sense in a time when it was believed that nothing better could be done. Red, yellow, green – at a glance could allow anyone to see which risks were most worrisome and which could waved on through.  Easy.

Too easy. Weren’t the colors just the sum of the best guesses of the analysts? Could they stand up to hard questioning about how much potential loss the organization faced in money – not color – terms?  Could anyone have said how much in real money it would take to turn a red risk to a yellow risk? How could Boards, C-suites, even Infosec teams really use these outputs to make informed decisions to best protect the critical assets of the business? (Spoiler Alert: They couldn't)

Cyber risk quantification (CRQ) obsoletes the guesswork that heat maps represent by bringing cyber risk into line with the rest of risk analysis. In other words, generating forecasts on potential loss in financial terms that can support business decision-making. Results that risk managers and Infosec pros have wanted to present before the board or the C-suite to give them a true sense of the business risk posed through cyber, but didn’t think possible: “We’ve mitigated between $x and $y of probable loss, and the cost of the controls we employed was $z.”

What is CRQ? To start, it’s a way to think critically about cyber risk that’s developed over the last few years through  the FAIR model. With Factor Analysis of Information Risk, which is now trusted by more than 3,000 leading thinkers in risk and security, analysts can first scope a problem for analysis, then quantify each of the factors that go into building a model of risk, leading to reliable estimates of the probable frequency and probable impact of a loss event – a risk, expressed in a probable range of dollars. That was the first innovation.

The second innovation was the RiskLens CRQ application that guides the analyst through collecting data from what’s available within the organization on the history of cyber incidents and losses. Even incomplete data is enough because the application runs it all through a Monte Carlo analysis to generate a range of probable outcomes.

The result is a bell curve that’s an easy-to-grasp picture of risk, and one that's defensible because it's based on a data and a model that any of the stakeholders can review. You can even confidently array your risks on a heat map, now that you can put a dollar value on red, yellow and green. Analysts can also tweak the inputs to run what-if scenarios to test the impact of various controls in mitigating probable loss.

Sophisticated risk management shops at major corporations ( McAfee is a great example) have already road-tested RiskLens and are widely deploying it to drive high-level decision-making on cybersecurity.

So, the word is out – cyber risk quantification is doable and being done. The SEC is calling for it, Gartner is calling for it as a key pillar to Integrated Risk Management, and again - 3,000 of your peers are on board. Cyber risk is now a board-level issue, due to the increased pace of cyber attacks and, for regulated businesses, stricter reporting requirements. Boards will be demanding accountability from management which will flow down to the risk team in demands for quantifiable, actionable cyber risk assessments – or CRQ for short. It is your turn to step up, join this revolution and demonstrate that you are a pioneer in cyber risk.