Why Quantification is the Core of Effective Risk Management

January 23, 2019  Nicola (Nick) Sanna

The  FAIR framework defines the necessary building blocks for implementing effective cyber risk management programs. The quantification of cyber risk is at the core of developing effective cyber risk management programs. After all, "You cannot manage what you don't measure."

Managing Risk Explicitly in Order to be Effective Your organization already manages risk. The question is whether it is doing it implicitly or explicitly. A risk management program needs to be explicit to be effective.

  • In an implicit approach to cyber risk management, an organization might have aligned its cybersecurity policies with a framework like NIST CSF, and it might have a NIST CSF-based enterprise risk assessment performed annually. The cybersecurity staff probably prioritize and work hard to address the findings from that assessment. Where the organization ends up risk-wise is a by-product of these efforts.
  • There is little control of the outcome from a residual loss exposure perspective as it isn't clearly defined, and the measurements are only loosely associated with risk. In order to be explicit, there would need to be a specific and quantified risk target that is actively being managed to.

Defining Risk Management FAIR defines risk management as 'the combination of personnel, policies, processes, and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure. A closer look at this definition reveals key take-aways:

  • Cost Effectively: The responsibility of mature risk professionals is not simply to help their organizations to manage risk, but to manage it cost-effectively. Organizations compete on many levels, and if an organization is able to manage risk more cost-effectively than its competition, then it wins on that level.
  • Achieving and Maintaining: Achieving an objective suggests that an objective exists. Maintaining a risk objective over time requires the ability to quantify and compare.
  • An Acceptable Level of Loss Exposure: Adopting a risk assessment framework, predefined checklists and set of common practices is a form of implicit risk management and will not enable you to achieve a defined acceptable level of risk. Explicitly managing risk requires that one or more quantitative risk-based objectives exist.

Building the Right Foundation for Effective Risk Management

The foundation required to achieve and maintain effective risk management is comprised of five elements.

  • Cost-effective risk management: a program that meets the definition of risk management listed above.
  • Well-informed decisions: every decision involves a choice, and in order for those to be well-informed...
  • Effective comparisons: ...a decision-maker has to be able to compare the options before him/her.
  • Meaningful measurements: quantitative measurements in financial terms that all stakeholders can understand.
  • Accurate models: accurate models of risk and of explicit risk management that can scale in real-life.

The open  FAIR methodology was conceived as a way to provide meaningful measurements so that it could satisfy management's desire to make effective comparisons and well-informed decisions. FAIR has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk.

Implementing an Effective Risk Management System

FAIR tells us that an effective risk management system is comprised of the following elements:

  • Risk: a function of the threats, assets, controls and impact factors (e.g., laws, etc.) that drive loss exposure.
  • Risk Management: comprised of decisions and execution. Those decisions are related to the risk governance that the organization decides to implement. What an organization actually gets in terms of risk is a function of execution within the context of those decisions.
  • Feedback Loop: feedback about the conditions of asset-level controls, metrics related to threat intelligence and losses, metrics regarding conditions that affect execution (e.g., awareness, capabilities) and root-cause analysis data.

Consider  solutions that have been built from the ground up on the FAIR methodology to quantify cyber risk and create the foundation for truly effective cyber risk management programs.