Figure 1: Traditional cybersecurity risk matrix
The traditional “likelihood vs. impact” risk matrix is flawed.
First, it leads to frustrating interactions between the security team and senior management. “High” means different things to different people. Second, it can be horribly misleading.
Imagine your organization defines “medium likelihood” as a vulnerability with a likelihood of 10% to 33%. Additionally, your convention for a “medium impact” issue is $100,000 to $1 million. That is a big range of outcomes! In the example of a “medium likelihood, medium impact” issue, the expected value ranges from $10,000 to $333,000. Would your organization handle a vulnerability with a $10,000 expected value the same as one with a $333,000 expected value?
Most organizations would have different responses for risks, with these wildly varying results from their cybersecurity risk assessment.
The lack of precision is even worse when you think about the “high” impact range. High impact might range from $1 million to the total value of your company (or more)!
To prioritize when two systems have a high vulnerability, you have to measure the specific value of the asset. Otherwise, you will treat a vulnerability with a $1 million consequence the same way as one with a $1 billion consequence.
Normal scales such as “High, Medium, Low” lead to compression of critical pieces of information. This compression can have disastrous results for an organization’s information security program. There has to be a better way…
A Better Way
There is a new trend in cybersecurity to move to a quantitative cybersecurity risk model. When we measure security, we get insights on how to improve it.
These quantitative models measure risk based on a range of impact costs, and on likelihood. Quantitative cybersecurity risk assessments use known data, even if it is minimal. The models supplement the data with statistical algorithms, to create a risk model that better represents the real world.
A quantitative risk assessment allows for a transparent discussion. When people have different views, the quantitative risk assessment can help to isolate the key assumption. Then the organization can drive the discussion around the fundamental issues. More often than not, the organization can get on the same page regarding what they should prioritize.
In cases where a fundamental disagreement remains, it is easy to run “what if” scenarios providing a range of outcomes. This analysis can also lead to consensus on an issue. The result is a clear path to resolving an organization’s cybersecurity challenges.
The cybersecurity risk assessment result includes a prioritized list of risks to resolve. Often, the list has a small number of risks, with high impacts associated with them. The organization should select the top two, three or four risks, and focus its cybersecurity investment in these areas. This way, the organization effectively leverages its cybersecurity investment with high impact results.
Getting started with a quantitative cybersecurity risk assessment is easy. The risk assessment starts with a series of interviews and document exchanges. The assessor asks questions about your organization’s business goals, key assets and “what if scenarios.” The assessor also evaluates the consequences for losing information. Another key piece is learning what happens when systems or services are down for an extended period of time.
Once the assessor understands the value of the assets, data and systems, the next step is to evaluate the organization’s processes and controls. Soon enough, the assessor has a risk model, and a report, that can help drive positive change in your organization.
Are you interested in learning more about quantitative cybersecurity risk assessments? If so, contact us at Fractional CISO. We’ll be happy to help you get on a path to better cybersecurity decision making.