SUBSCRIBE TO THE BLOG
Stay up-to-date with the latest insights and blog posts from RiskLens.
SEARCH THE BLOG
In this 30-minute introductory webinar and product demo, RiskLens Risk Consultant Tyler Britton shows the power and flexibility of Risk Treatment Analysis, the new decision-support capability of the RiskLens platform for comparing controls and other risk treatments in terms of risk reduction and return on investment.
“What we are really talking about is getting better alignment between cybersecurity programs and business strategy,” Tyler says. “Another key point is that, from a business perspective, these kind of considerations are either not feasible or they’re very difficult or impossible to do, if you are using qualitative analysis to report.”
You’ll get a good look at the process and interface as Tyler gives a live demo of Risk Treatment Analysis in action. It starts with defining risk scenarios and establishing a baseline level of probable loss exposure for successful attacks on specific assets.
Next, take proposed new treatment options (for a ransomware scenario, that might be stronger antivirus protection vs. more frequent OS patching vs. anti-virus signature updates) and their costs, and run analyses again to see the reduction in risk from the baseline and the return on investment for every dollar spent.
The result: a clear picture of which option most cost effectively meets your needs, with reporting in dollar terms easy to communicate to decision makers.
A Risk Treatment Analysis Report
To show the sophistication of Risk Treatment Analysis, Tyler describes a complex case comparing two controls to protect a crown jewel database, two-factor authentication and encryption. Each would reduce risk below the desired threshold. 2FA costs half the price of encryption and has the most return on investment. Encryption is pretty close in risk reduction for dollar spent and reduces risk twice as much as 2FA. Which is better?
“The real question,” says Tyler: “Is it good enough just to get below the risk threshold? Or are you looking to maximize the total amount of risk reduction? The answer would depend on the particular decision criteria and the preferences of the company. It highlights the complexity of real-world situations.”
Tyler says that if you were using a qualitative scale, both treatments would appear as “moderate” risk reduction and you’d probably just choose the cheaper solution and never see the actual differences between the two.
Risk Treatment analysis gives you “the information that you need to tell a compelling story, with a strong rationale, and speak to the organization’s decision criteria.”
Schedule a demo to see how Risk Treatment Analysis could help your organization make better security investment decisions.
Fill out the form below to view the webinar: