Forrester recently published a report on the growing trend of CISOs turning to cyber risk quantification models to assist board-level decision-making. But before jumping on the bandwagon, it’s important to understand the different cyber risk models available. For more information on the present condition of the developing CRQ market, and helpful starting points for your CRQ journey, read this blog.
Understanding Cyber Risk Quantification
Cyber risk quantification numerically projects the potential impact of a given risk on business objectives. It goes beyond subjective risk assessments by providing organizations with actionable insights based on monetized numbers.
What is a Cyber Risk Quantification Model?
Cyber risk quantification models are tools or approaches that assist organizations in measuring and assessing the potential risks and impacts associated with cybersecurity threats in dollars and cents. They aim to provide a systematic way to evaluate the likelihood of cyber-attacks or incidents occurring and the potential financial consequences they may have on the organization.
The Dominance of the FAIR Model
The Factor Analysis of Information Risk (FAIR) model stands out as the dominant risk quantification framework. Developed by Jack Jones, former CISO of Nationwide Mutual Insurance, the FAIR model offers a systematic and consistent methodology to assess cyber risk. It has gained prominence due to its wide applicability and status as an open standard adopted by the Open Group.
The FAIR model is designed to address the limitations of traditional risk assessment approaches and focuses on establishing accurate probabilities for the frequency and magnitude of data loss events. By breaking down risk factors into discrete elements, such as threat events, vulnerabilities, and potential impacts, FAIR provides a comprehensive understanding of the potential risks an organization faces.
One of the key strengths of the FAIR model is its agility in quantifying cyber risks in financial terms. It translates complex technical risks into business language, allowing security leaders to communicate effectively with executives, boards, and stakeholders in terms of dollars and cents. This feature is particularly crucial for Chief Information Security Officers (CISOs) who need to communicate cybersecurity risks to their CEO and board members.
However, while the FAIR model has gained widespread recognition, its implementation can be challenging for some organizations. Critics have cited concerns about its academic nature, impracticality to scale, and significant resource requirements. Organizations should carefully assess their readiness and capacity to adopt the FAIR model before committing to its implementation.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Cyber Risk Quantification Models
Apart from the FAIR model, several other cyber risk quantification tools deserve attention for their unique approaches and methodologies. Let’s explore some of these models:
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation): Developed by the Computer Emergency Readiness Team (CERT) at Carnegie Mellon University, OCTAVE is a framework for identifying and managing information security risks. It focuses on identifying information assets critical to an organization’s goals, evaluating threats to those assets, and assessing vulnerabilities that could expose them to threats.
- COBIT (Control Objectives for Information and Related Technology): Developed by ISACA, COBIT is a framework for IT management and governance. While primarily focused on IT, it also integrates multiple risk practices throughout the framework, referring to various globally accepted risk frameworks. COBIT’s flexibility allows organizations to tailor their governance via the framework to meet their specific requirements.
- TARA (Threat Assessment and Remediation Analysis): TARA is an engineering methodology used to identify and assess cybersecurity vulnerabilities, as well as deploy countermeasures to mitigate them. It is part of MITRE’s portfolio of systems security engineering (SSE) practices. TARA assessment involves conjoined trade studies, ranking attack vectors based on the assessed risk, and selecting countermeasures based on assessed utility and cost.
Factors to Consider when Selecting a Cyber Risk Quantification Model
Selecting the most appropriate cyber risk quantification model requires careful consideration of several factors. Organizations should define their specific objectives, such as prioritizing risk mitigation efforts, allocating cybersecurity resources effectively, or communicating risk to stakeholders. Understanding the nature of the organization, its industry, size, and risk appetite is crucial to finding a model that aligns with the organizational context. Consideration of regulatory requirements, available resources, and the complexity of the technology environment is essential when evaluating different models.
Moreover, organizations must assess the capabilities of each model they are evaluating. Important features to look for include the ability to capture multiple types of risks, scalability, flexibility, and integration with existing risk management frameworks or tools. Additionally, evaluate the model’s ability to handle various cyber threats, vulnerabilities, and potential impacts on the organization.
The Process of Quantifying Cyber Risk
Quantifying cyber risk involves several stages that help organizations gain a comprehensive understanding of their risk landscape. Let’s explore these stages:
- Identify Business Lines to Protect: Evaluate the revenue-generating business lines and identify the resources that must be operational to support those lines. For instance, shutting down a critical shipment line or an e-commerce website being unavailable could have significant direct financial costs.
- Crown Jewels: Identify the crown jewels of the organization—both physical and logical assets critical to supporting the business lines. Physical assets may include servers, power supplies, and the supply chain, while logical assets include systems that process orders, API requests, and third-party suppliers essential for business operations.
- Direct Cost: Assess the direct financial costs that would result from a successful cyber-attack on each asset. Consider various attack scenarios and the potential financial impact on each business line.
- Extra Expenses: In addition to direct costs, consider potential extra expenses resulting from a cyber-attack. This may include reputation damage, potential fines for data breaches, and other regulatory or legal costs.
- Risk Scenarios: List all business assets and sensitive data, including proprietary and sensitive information that, if compromised, could significantly impact the organization.
Next Steps in Quantifying Cyber Security Risk
After collecting data on the identified risk scenarios, organizations can proceed with quantifying the cyber security risk. This process involves mapping each business risk to a cyber risk scenario based on the stages below:
- Inherent Risk Calculation: For each risk scenario, calculate the inherent risk by assessing the direct financial impact, replacement costs, reputation damage, potential fines, competitive advantages lost, and response expenses that could occur in the event of an attack.
- Controls and Safeguards: Develop a list of controls and safeguards to mitigate each risk scenario based on the threat actors, their capabilities, and techniques. Rely on established cybersecurity frameworks such as MITRE ATT&CK, NIST cybersecurity standards, or CIS.
- Residual Risk Calculation: Assess the status of controls in your organization and calculate the remaining, residual risk for each risk scenario. Regularly update these numbers as the control status changes.
How Centraleyes Does CRQ
Quantifying financial risk when it comes to risk management is quite a difficult task. One of the most popular features in the Centraleyes GRC platform is the Primary Loss calculator.
In this calculator, we look at six different factors of primary loss: productivity loss, response loss, replacement loss, competitive advantage loss, fines and judgment loss, and reputation loss. Across each one of these factors, you can set a minimum and maximum exposure threshold, a “Most Likely” lever, and a confidence level.
As you set these up you will see a real-time calculation of your primary loss. Once you are done setting up and calculating these different factors, you will get a Total Primary Loss number that you can attach to various assets and items in the platform, including the risks in the Centraleyes automated Risk Register.
Book a demo today to see how Centraleyes can transform your risk management program.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
