FAIR risk analyses are great – they allow you to understand cyber risk in dollars and cents. RiskLens is the SaaS platform out there that allows you to conduct true quantitative cyber risk analysis.
To make things better, the work flow is easy:
- Scope the risk scenario: Identify the asset(s) at risk, threat community, threat effect(s) and loss
- Answer the questions generated by the RiskLens Cyber Risk Quantification application
- Click the “Run Analysis” button
The RiskLens computational engine then uses Monte Carlo Simulation to calculate the annualized loss exposure (ALE), in financial terms, of the modeled risk scenarios. And, voilà – you have cyber risk analytics reports like the one below, that CEOs and boards are used to seeing in other risk domains:
Really, it’s a beautiful report – in terms of the mathematics – and the important numbers are listed for you. But you might not have a math degree and it’s been a while since your last statistics course…so what are all the numbers that are listed in the chart again?
The Statistical Numbers Explained:
Let’s set the stage for the report above: RiskLens ran 10,000 simulations of a risk scenario for cybersecurity risk management.
- The minimum (min) is the one simulation which resulted with the lowest ALE – $4.1M(illion).
- The maximum (max) is the one simulation which resulted with the highest ALE – $1.5B(illion).
- The average (avg) is summing up the 10,000 ALE’s, and dividing it by 10,000 giving us $171.1M.
- The 10th percentile (10th %) is the ALE where 10% of the simulations run are less than or equal to that value. In our example above, that is $40.9M. Out of the 10,000 simulations run, 1,000 of the ALE values were less than $40.9M. Why 1,000? Well…. 1,000/10,000 = 0.1 or 10%.
- The 90th percentile (90th %) is just the one ALE where 90% of the simulations run are less than or equal to that value. In our example above that is $392.9M. Another way to think about this is 10% of the simulations run are greater than or equal to $392.9M – which means out of the 10,000 simulations run, the 1,000 ALEs that are reported to be larger than $392.9M (on the right side of the 90th percentile line on the chart).
- The risk appetite (RA), the red line, is for companies that have set a target level for acceptable loss exposure, in this chart $450 million.
Recently, we added a new number: the MOST LIKELY (ml)! The ml is an estimation of the mode (the number which appears most often in a set of numbers) that we derive by using a sophisticated technique called Half-Range Estimation. In the above graph, the ml is $86.0M.
You might be wondering how is the ml less than the avg? Quick answer – math. Longer answer – the ml is the number that appears the most, while the avg is the sum of all the results divided by the number of simulations run.
Gartner calls cyber risk quantification one of the must-have risk assessment tools for integrated risk management.
Not only did we add the new statistic metric, we have a new report…
Loss Exceedance Curve
HOW COOL IS THIS! This is the same risk scenarios that was analysed in the first risk report, however the results are being presented in a different way. (The math nerd in me is really excited about this! I won’t bore you with more than we are utilizing calculus here!) Let’s take our deeper dive here:
- We have the same statistical numbers as before (max, min, avg, 10th %, 90th %, ml) outlined in the box to the left.
- A blog post on loss exceedance by our CTO Bryan Smith goes into the details further on how to read this graph but a quick summary: The x-axis plots the ALE for the given risk scenario considered in the analysis. The y-axis plots the probability of a loss being greater than the intersection with the x-axis, from 0 to 100%. So we are looking at the probability of the risk scenario exceeding a certain dollar amount. (i.e. there is a 20% chance of ALE being greater than or equal to $200M).
Now instead of just showing the Board our risk, we can ask the Board and the business, “Are you comfortable with there being a 20% probability of ALE greater than or equal to $200M?”
The last thing I’d like to talk about is our Sensitivity Analysis. This analysis enables you to conduct what-if analyses. There are two types of tests you can run, a positive and a negative test. With a positive test, you measure the opportunity of an improvement to your risk landscape. In a negative test, you can find which factors in your risk landscape matter the most. (Check out Bryan’s Sensitivity Analysis blog post if you want to dig deeper)
Here are some examples of Positive and Negative Tests for cybersecurity risk assessment:
- Positive Tests :
- What if we increased a control strength?
- What if threat event frequency were to decrease?
- Negative Tests:
- What if a control’s efficacy decreases?
- What if a threat’s capability increases?
Want to learn more about other reports you’ll get from running an analysis? Contact a RiskLens Expert.