What Does RiskLens Reporting Tell Me?

By Erin Macuga | March 10, 2021

      

Computer-Screen-Discussion-What-Does-RiskLens-Reporting-Tell-Me-300x186We designed the reporting from the RiskLens platform to be meet three requirements from our sophisticated and demanding clients. They want to see outputs that are:

  • Fast – Once data is loaded, analyses typically can be run in minutes.
  • Flexible – Analyses offer a wide range of viewpoints on risk from single asset at risk to enterprise-level risk, across a variety of threat actors, adding/subtracting controls, many more parameters changeable on the fly
  • Easy to grasp for business decision makers – Analysis results must always be quantitative, expressed in dollars (or another currency), and highly visual.
  • Reliable and consistent. The RiskLens platform automates FAIR (Factor Analysis of Information Risk), the international standard for cyber risk quantification, recognized by the National Institute of Standards and Technology.

Here’s a look at some (but not all) of the key types of analysis reporting produced by the RiskLens platform.

Annualized Loss Exposure and Loss Exceedance Curve

Value for decision support: Shows a range of probable loss exposure at a high level and a granular level so decision-makers can exactly calibrate to their level of risk acceptance.

The details:

The RiskLens platform performs 50,000 Monte Carlo simulations to calculate the Annualized Loss Exposure (ALE), in financial terms, of the scoped risk scenario/s. Once the scenario has completed running, the analyst will immediately see two different charts. The first chart displays the ALE range of values highlighting the amount of loss exposure an organization has in a given year as it relates to the specified scenario. Beneath that range is a Loss Exceedance Curve that expresses the probability of a particular amount of loss materializing.

Screen-Shot-2020-12-08-at-8.45.15-AM-768x153

Screen-Shot-2021-02-25-at-10.41.26-AM-768x419

 

As mentioned above, the RiskLens platform provides a range of loss exposure that an organization could experience if the scenario being analyzed were to occur. Within this range are multiple metrics that could be used by the analyst to convey the results to their organization’s leadership or board.

Below is a brief description of each:

  • Minimum represents the lowest ALE, which shows the smallest amount of loss that occurred within the simulations. Based on the ALE image above, $34,300 was the smallest amount of loss that occurred within the simulations for this scenario. 
  • Maximum represents the highest ALE, which shows the largest amount of loss that occurred within the simulations. Based on the ALE image above, $819,900 was the largest amount of loss that occurred within the simulations for this scenario. This can be considered the worst case scenario.
  • Average represents the average of the simulations. This calculation is done exactly how its mathematically defined – add up all the ALE’s and divide by 50,000. Based on the ALE image above, $211,900 is the average amount of loss that occurred within the simulations for this scenario.
  • 10th percentile represents 10% of the simulations run are less than or equal to that value. Based on the ALE image above, $97,700 was the value that 10% of the simulations were less than or equal to. Those values less than the 10th % value are an extremely small amount of loss exposure that they are considered outlier events.
  • 90th percentile represents 90% of the simulations run are less than or equal to that value. Based on the ALE image above, $362,500 was the value that 90% of the simulations were less than or equal to. Those values greater than the 90th % value are an extremely large amount of loss exposure that they are considered to be outlier events.
  • Most Likely represents the value that occurs the most often within the simulations. Based on the ALE image above, $137,700 was the most likely amount of loss that occurred within the simulations for this scenario. 

Train your organization on FAIR, the international standard for cyber risk quantification – check out the courses at the RiskLens Academy.


Aggregated Risk Assessment

Value for decision support: Gain a strategic view of the broader elements of cyber risk to answer questions such as “What is our probable loss exposure from insiders?” “What is the risk across our databases that hold customer PII?”

The details:

Within the RiskLens platform, the analyst has the option to complete a risk assessment to evaluate multiple scenarios by visually seeing the aggregate of those scenarios together. This assessment contains multiple additional and granular reporting options, including the aggregate ALE and Loss Exceedence Curve, that can be extremely beneficial in presenting the aggregate ALE results and scenarios to the organization’s leadership and board.

Screen-Shot-2020-12-08-at-8.47.27-AM-768x153

Screen-Shot-2020-12-08-at-9.02.38-AM-768x404

Top Risks Report

Value for decision support:  Quickly see a list of risks ranked by probable loss exposure for a business unit or enterprise to prioritize remediation projects.

The details:

A feature within the risk assessment enables the analyst to compare multiple analyses to each other. The Top Risk Report is interactive and assists the analyst in determining which scenario/s should be prioritized and promptly addressed within the organization. This report has three separate charts with each one expressing a different way to rank risks, to help craft communication to leadership.

Screen-Shot-2020-12-08-at-8.42.29-AM-768x219

 

These three charts are:

  1. Most Severe Event – How much an event could cost if it were to occur and all relevant losses materialized
  2. Highest Probability to Exceed $X – The probability that a particular scenario is likely to exceed a specified threshold defined by the organization
  3. Top Annualized Risk – Helps effectively compare scenarios across the board, “apples to apples”

With this prioritization ability, the entire organization or a specific line of business can rapidly determine if a particular scenario requires an in-depth analysis leading to a targeted remediation plan. These charts also bring to the forefront the scenario/s that needs to be addressed first whether by implementing a specific control or upgrading to a newer software version.

Risk Treatment Analysis

Value for decisions support: Compare alternative remediation approaches for amount of risk reduction in dollars; run cost-benefit analyses on those alternatives.

The details:

Another reporting option, once a risk assessment has been completed, is to conduct a comparison assessment by looking at the implementation of various controls and how they would reduce the organization’s risk exposure. If there are multiple controls that an organization is considering but they are not sure which control provides the most protection to reduce their risk, this feature enables the analyst to compare the controls to each other. When evaluating the controls, the analyst can also conduct a cost benefit analysis which allows for the addition of costs to enable a visual of the most cost effective control being considered. Within the platform these two features are combined as one capability with a results output that enables the visualization of which control is the most cost effective and which control implementation will result in a risk reduction.

image-20210127-153628-768x466

 

image-20210127-153521-768x408The results of the comparison report demonstrate the exposure of the initial analysis compared to the iterations of comparison reports deemed relevant to the specific scenario. When looking at the chart, the analyst will notice that there is an interactive capability to choose the metric viewed, the threshold set by the organization, and filter options for viewing different aspects of the report. The analyst will also be able to understand the risk exposure of the initial analysis versus comparison reports that may increase in risk or have a risk reduction based on a control implementation. The chart at the bottom of the above screenshot, highlights the treatment options and the associated cost that can be used to compare with risk reduction.

Summary:

The reporting options within the RiskLens platform can be utilized to report to an organization’s leadership to help them put the risk being faced by the organization into the business context. The reporting also enables the analyst to ascertain an understanding of what scenarios are a top priority for mitigation or upgrading, which scenarios pose the most risk to the organization, and which controls are cost effective and reduce the organization’s risk exposure. RiskLens offers a suite of solutions, including Rapid Rapid Risk Assessment, Cost Reduction and Budget Planning, Risk Treatment Analysis and more, and we continue to invest in developing our platform and services to continue make it it faster and easier to translate risk analysis and insights into action and business value.

SHARE