“Cyber risk quantification” – it’s becoming an industry buzzword. You probably get the basic premise that CRQ is a way to put a dollar figure on loss exposure from cyber events but – oh-oh, math and data anxiety kicking in. In this blog post, we’ll explain how the free Industry Cyber Risk Report and the My Cyber Risk Benchmark tool from RiskLens produce valid and, most importantly, useful numbers while keeping the math under the hood.
Putting a Number on Risk Is Not Quantification
First, let’s clear up one point of confusion. Assigning a numeric value to a list of risks based on the opinions of your risk and security teams is not quantification.
Reality check: Could you as easily assign red, yellow, and green colors to the items on your list?
Then you’re still dealing with subjective or qualitative analysis, mainly useful for a rough prioritization exercise. Similarly, by assigning numbers as a maturity score for the NIST CSF, you’re measuring progress on a framework of best practices, not measuring risk or risk reduction directly.
What FAIR™ (Factor Analysis of Information Risk) Teaches Us
You’ve probably seen a list of “risks” that include “ransomware”, “nation-state hackers”, “the cloud”, etc. – but those are types of risk or threat actors that may cause risk or just general areas of concern, not risks themselves, measurable in a useful way.
For that you need a standard, repeatable model for defining and analyzing risk and a source of reliable data that together will quantify risk as probable loss exposure in dollars and a probable frequency of occurrence.
The FAIR methodology teaches us that risk is…
“The probable frequency and probable magnitude of future loss”
In alignment with this definition, the methodology behind Industry Risk Report and My Cyber Risk Benchmark, new from RiskLens, measures risk in similar terms: Risk is composed of two measurable elements.
Add Some (Highly Refined) Data
A common hesitation at this point:
"But we don’t have good data on any of this."
RiskLens has invested extensive time and effort in data science to produce and build in all the data you need to benefit from our tools. We take in the best available data on the frequency and loss magnitude of breaches and other cyber events from trusted sources such as Advisen and the Verizon Data Breach Investigations Report (DBIR) plus our proprietary data and apply our own curation to refine that data.
Example: The data science team has created a library of over nine million risk scenarios covering a huge range of data inputs and outcomes and sorted by industry, geography, company size and other variables.
What the Numbers Will Tell You: The Risks that Matter Most to Your Organization
With the best data available in hand and that vast scenario collection, we run sophisticated Monte Carlo simulations under the hood. You may know Monte Carlo from financial planning where it is a standard tool to forecast dollar figures for probable returns from the stock market over time. We use it to generate a range of probable outcomes for cyber loss events. The averages from those simulations – aggregated to categories (ransomware, insider error, etc.) – are the figures you see displayed in the free Industry Cyber Risk Report and the My Cyber Risk Benchmark tool:
- The expected financial loss per event is the average financial loss for an event in that category.
- The annual probability of event occurrence represents the chance (in percentage terms) an event will happen at least once in a year.
In easy-to-read infographics, the Industry Cyber Risk Report will display your industry’s top three categories of risk; My Cyber Risk Benchmark will display a ranked list of seven risk categories for your industry side by side with a list of risks customized to your organization so you can benchmark your risk profile against the industry norms. Additionally, you’ll see your SecurityScorecard rating for indications of how to improve your risk posture.
The bottom line: Using trustworthy methods and well-vetted data, RiskLens provides you with a fast and easy way to discover and understand the top risks facing your organization, a great first step to planning your cybersecurity strategy.