Why you need a Quantitative Cybersecurity Risk Assessment

You are presented with two arguments about who is going to win the Super Bowl this weekend. Which sounds more persuasive and informative to you? 

“The Seattle Seahawks have a medium chance of winning!”

“The New England Patriots have a 39.8% chance of winning!“

Obviously, the second statement is more meaningful than the first. The fact that percentage is being used makes it easier to understand exactly what the person is saying. The “medium” could be 40%, or 50%, or 62%. “Medium” must be defined for it to be similarly meaningful to “57% chance.” 

This is the power of quantitative answers! 

If you work for a small to medium sized business, you probably haven’t put too much thought into cybersecurity. You might be thinking something along the lines of, “Of course cybersecurity is a concern, but we already have so much on our plate. Cybersecurity is expensive. Maybe in a few years, when we’re big enough to get noticed…”

This is a mistake. 

If your company uses the Internet in any way, you’re already big enough to get noticed. According to University of Maryland research, an unsecure machine with Internet access can expect an attempted cyber attack every 39 seconds. As you read this, there are probably dozens of bots sniffing around your systems, looking for vulnerabilities. You may get lucky this year, and the next, but if you don’t take your security seriously, it’s only a matter of time before your data is leaked, your employees are phished, or your website is taken down.

Ok fine. Cybersecurity is important. We can all agree on that. But now you’re probably thinking, “Where do I even start? I know some of the basic risks, like phishing and stuff, but what about the risks I don’t know about? And which risks are more important? I can’t fix every problem, I don’t have the time or money!” 

You aren’t alone. Improving your cybersecurity from scratch is incredibly overwhelming. It can seem easier to give up before you begin. But have no fear, there is a tried and tested methodology to get your cybersecurity program on the road. 

And this, my friend, is why your company needs a quantitative cybersecurity risk assessment!

What is a Cybersecurity Risk Assessment?

It’s exactly what it sounds like! It’s an assessment of the cybersecurity risks facing your business. The final product of the assessment is the risk assessment report.

The risk assessment process usually starts with an interview period. Your cybersecurity team will spend a good amount of time interviewing various people at your company to get a good understanding of your operations. They’ll also ask questions like “How much customer data do you store?” and “How much is your typical payroll run?” to get an understanding of how much you stand to lose in a cybersecurity incident. 

After they’ve assessed your business, your cybersecurity expert will write up a report detailing your risks and give you an idea of which ones you should focus on first using some function of their likelihood of occurrence and potential damage.

Some professionals use a qualitative approach, ranking the likelihood and magnitude of your risks on a subjective scale with the steps “low,” “medium,” and “high,” from 1 to 5, or something similar.

This works okay, but it could be better. At Fractional CISO, we believe taking a quantitative approach to risk assessments creates better, more informative reports. With a quantitative cybersecurity risk assessment, your company will have a clear and actionable view of your cybersecurity risks.

So what is a Quantitative Cybersecurity Risk Assessment?

It’s simple! Rather than using wishy-washy terms like “low” and “high” to characterize risk, our team uses percentages and discrete monetary values to quantify your risk. For instance, after interviewing your CTO, we might identify the risk of “Application code exploitation.” We’ll record that risk, as well as any controls or external factors which may influence its likelihood.

Next, after some internal discussion, we’ll give the rate of annual occurrence a numerical value, such as 3%. Then, we’ll analyze the range of possible adverse impacts this risk could have on your company and determine a monetary range for these impacts, with a 90% confidence interval. 

A 90% “confidence interval” just means that we think there is a 90% chance that a value will fall within a certain range. For instance, I’m 50% confident that a dice roll will land between 2 and 4, and 100% confident it will fall between 1 and 6. We always adjust our predictions until we are 90% confident with their accuracy, because otherwise we aren’t really saying much at all. Unfortunately, we can’t be 100% confident about anything without a magic crystal ball, but 90% strikes a good balance for providing actionable risk information. 

The end result looks something like:

“We are 90% confident that there is a 3% chance of your company losing between $10,000 and $500,000 to application code exploitation every year.”

That’s interesting on its own, of course. But it’s a bit difficult to read. 

The magic is in what we do with that statement. Since we’ve stuck to using mathematical expressions to express your risk, we can now run a bunch of cool simulations and statistical analyses to build a complete, realistic model of your cybersecurity risk. 

Cool simulations and statistical analyses!

Specifically, we have two mathematical models we use to tell you about your cybersecurity risk. 

The first one I call “simple expected annual loss,” because it calculates your… simple expected annual loss from a given cybersecurity incident. 

We go through each identified risk and multiply the annual probability of that risk by a slightly modified average of the range of possible values for the adverse impact of the risk to get our expected annual loss value. That got a bit complicated, but we’re essentially just telling you how much you can expect to lose, on average, per year, over time, for each risk. That gives us this nifty table:

As you can see above, each risk has an annual probability and an upper and lower bound for adverse impact. The expected loss is calculated on the far right and each risk is ranked in descending order of severity. This gives you an excellent idea of which risks you should prioritize.

Then, we add up those expected values to give you your expected total annual loss. This number can be used to inform your total security budget as well as how much you want to spend on cyber insurance.

Unfortunately, there are a few important questions that this simple mathematical formula can’t answer. For instance, “How likely am I to lose more than $2,000,000 in a year?” and “What’s the most money I’m likely to lose over an average 10 year period?” Surprisingly, there are no concise mathematical methods for answering these questions. So instead, we run a Monte-Carlo Simulation!

Monte-Carlo Simulation

The purpose of a Monte-Carlo Simulation is to analyze a range of random events over a much longer period of time than would otherwise be physically possible so that we can analyze the data and draw conclusions that would be impossible to draw from reality. We do this by mathematically simulating your organization’s loss over a year 10, 20, or even 100,000 times! We can then say exactly what percentage of those iterations you lost more than $2,000,000, and wallah! Question answered. We can even put together a graph like this:

This graph visualizes exactly how bad your risk is in comparison to your risk tolerance, at various dollar amounts. This kind of data is incredibly useful for making rational business decisions and far beyond anything you could learn from a qualitative risk analysis.

After all of that, we even provide recommendations for mitigating your top risks, essentially making your job of risk mitigation as frictionless as possible. This is all information that you simply couldn’t get from a qualitative risk assessment.

Using the Quantitative Approach to Make Better Security Decisions

I’ve touched on this a bit already, but let’s be clear – a quantitative cybersecurity risk assessment is not just about cool math and pretty graphs. It’s a tool to help you and your company make calculated, rational, and actionable decisions for the sake of your cybersecurity. It does this in a few ways.

First, it quantifies. It is in the name after all. Risk is such an abstract, nebulous concept that it can often feel impossible to wrap your head around. After all, nothing is predictable. An asteroid could hit your headquarters tomorrow! What are you supposed to do about that? And the language we often use to describe risk doesn’t help very much. “High” risk sounds scary. But how much scarier is “High” than “Medium”? And how high is one high compared to another high? And what does any of that actually mean in a business context? Putting a dollar amount on the issue grounds it and helps you avoid irrational costs and an existential crisis. Risk, it turns out, is just another business expense.

Second, it prioritizes. Like we saw in the table above, once your risks are quantified, we can easily prioritize them in a business savvy fashion. Obviously, whichever risk has the highest expected loss is the highest priority. Simple. And if we can’t totally mitigate that risk for whatever reason, we can at least factor in the mitigations we did make to reprioritize it. It’s as simple as re-running the calculations. No more arguing over which risk is more likely or which mitigations cost too much money. Quantitative Risk Assessments make risk management as easy as 1, 2, 3. Literally.

Finally, it communicates. You probably aren’t a cyber security expert. Your coworkers probably aren’t cybersecurity experts. Your boss probably isn’t a cyber security expert. How on earth are you supposed to start fixing your cyber security risks if you don’t even know what they are or what causes them? Well, you may not understand cyber security all that well, but everyone understands $. That’s why every Quantitative Risk Assessment communicates its findings with the dollar, it’s a way of translating from the language of cyber security and risk analysis to the universal language of business. It is so much easier to make good decisions when everyone is speaking the same language.

Other good reasons to get a quantitative cybersecurity risk assessment

Starting your cybersecurity program is far from the only reason to get a quantitative risk assessment. No matter how mature your security program is, it is inevitably going to have holes. A risk assessment can help you find and plug those holes before they get out of hand. 

Do you want to work with other risk-conscious companies? Having a risk assessment on hand to show them that you are aware of and taking your cyber risks seriously makes a great first impression. 

Or maybe you have superiors in your company who either don’t understand or don’t care about cybersecurity. Seeing a quantifiable, dollar-amount loss associated with cybersecurity risk is the fastest way for anyone to understand why they need to take cybersecurity seriously.

Summary

When you wanted to predict who was going to win the Super Bowl, you would want to use the highest quality information available, right? Unless otherwise defined, the Chiefs’s “57% Chance” is more informative than the Eagles’s “Medium Chance.” This should help guide your pick to win.

In the same way, quantitative cybersecurity risk assessments enable businesses to make better cybersecurity decisions over traditional cybersecurity risk assessments. Every organization could improve their security program by implementing a quantitative risk assessment, over a traditional qualitative one.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.