Tech Company Quickly Identifies Top Cyber Risks with Quantitative Analysis

March 20, 2020

Many RiskLens clients take their first step into cyber risk quantification with a Top Risks Workshop, using the Triage function in the RiskLens Platform to quickly identify a short list of high-risk scenarios for deeper quantified analysis. Here’s the Top Risks experience for one major tech company. 

The Challenge

Technology companies are constantly competing to bring the most innovative products to market. With each technological advancement comes additional risk exposure that the organizations must be able to effectively identify, measure, and prioritize. But risk management often takes a backseat to product development, seen as an offramp in the way of speed to market.

The risk management team at a major tech company was looking for a way to break through that mindset and win a seat at the decision-making table. One point on their side: The company was subject to reporting to the SEC, following the agency’s 2018 guidelines on disclosure of cyber risk in financial terms.

However, the qualitative heat maps the team used to guesstimate risk didn’t give them the ability to:

  1. Identify, measure, and prioritize the risks that are most important to business operations
  2. Evaluate the top risk scenarios including insight into highest-risk assets and threat communities
  3. Effectively communicate the posture of the cyber risk program to executive management in order to adhere to the “timely collection and evaluation of information potentially subject to required disclosure” as required by SEC guidance

The Solution

The team turned to the RiskLens Platform that operationalizes quantitative cyber risk analysis with the  Factor Analysis of Information Risk (FAIR™) model to help address the above requirements in a more meaningful way.

1.  Identify, measure, and prioritize the risks that are most important to business operations

In order to effectively quantify risk, FAIR requires consistently defining scenarios based on assets at risk, threats and loss effects. The organization leveraged this approach by identifying the most critical assets, the most likely threat actors, and the most probable and/or impactful ways in which the loss would materialize.

Once the most probable and impactful scenarios were identified, the list was quickly prioritized using the  Triage function in the RiskLens platform. This exercise was completed over the course of a two-day  Top Risk Identification Workshop led by experienced consultants from the RiskLens Professional Services team.

Once triaged, the top 10 scenarios were fully quantified in the RiskLens Cyber Risk Quantification (CRQ) platform.

Figure 1 displays the combined aggregate annualized loss exposure across all 10 scenarios:


2.  Evaluation of top risk scenarios including insight into highest-risk assets and threats

The team was then able to drill down into the top risks aggregate annualized exposure and view the highest-risk threat communities and assets.

Figure 2: Aggregate Loss Exposure by Threat Community Top-Risks-Case-Study-Figure-2

Figure 3: Aggregate Loss Exposure by Asset



In addition to gaining an understanding of the total annualized loss exposure related to the 10 scenarios, the organization was also able to identify which of the 10 posed the highest risk individually.

Figure 4: Top Analysis Scenarios by Loss Exposure (90 th Percentile) Case-Study-Figure-4-Top-Analysis-Scenarios-by-Loss-Exposure-90th-Percentile-768x336


3.  Effec

3. Effetive communication of the posture of the cyber risk program to executive management

With the help of the RiskLens platform powered by the FAIR model, the organization was able to report on the top risks to executive management and the board in they language they best understand – dollars and cents. Not only was it possible to grasp the aggregate loss exposure posed in total by the ten scenarios, but using the RiskLens reporting capability, the team was also able to look closer into each of the scenarios to evaluate the frequency and magnitude of the event, as well as the drivers for the loss.

Figure 5: Breach of Crown Jewel Database – External Per Event Results











Figure 6: Breach of Crown Jewel Database – External Aggregate Loss Exposure by Form of Loss Figure-6-Breach-of-Crown-Jewel-Database-–-External-Aggregate-Loss-Exposure-by-Form-of-Loss  

Results and Key Benefits

With the Top Risk analysis in hand and experience with FAIR quantitative cyber risk analysis, the risk team had found their credibility builder, demonstrating it could communicate the impact of cyber risk in the financial terms that the board, senior management ,and regulators could understand. With a clear view of Top Risks, the organization could then leverage further FAIR analyses to support decision-making on

  • Evaluation of control adequacy
  • Prioritization of mitigation efforts
  • Determination of cyber insurance needs
  • Justification of additional security investments and controls -- particularly covering new products the organization plans to roll out, going forward.