Figure 1: Traditional cybersecurity risk matrix
The traditional “likelihood vs. impact” risk matrix is flawed.
First, it leads to frustrating interactions between the security team and senior management. “High” means different things to different people. Second, it can be horribly misleading.
Imagine your organization defines “medium likelihood” as a vulnerability with a likelihood of 10% to 33%. Additionally, your convention for a “medium impact” issue is $100,000 to $1 million. That is a big range of outcomes! In the example of a “medium likelihood, medium impact” issue, the expected value ranges from $10,000 to $333,000. Would your organization handle a vulnerability with a $10,000 expected value the same as one with a $333,000 expected value?
Most organizations would have different responses for risks, with these wildly varying results from their cybersecurity risk assessment.
The lack of precision is even worse when you think about the “high” impact range. High impact might range from $1 million to the total value of your company (or more)!
To prioritize when two systems have a high vulnerability, you have to measure the specific value of the asset. Otherwise, you will treat a vulnerability with a $1 million consequence the same way as one with a $1 billion consequence.
Normal scales such as “High, Medium, Low” lead to compression of critical pieces of information. This compression can have disastrous results for an organization’s information security program. There has to be a better way…
A Better Way – the Quantitative Cybersecurity Risk Assessment
There is a new trend in cybersecurity to move to a quantitative cybersecurity risk model. When we measure security, we get insights on how to improve it.
These quantitative models measure risk based on a range of impact costs, and on likelihood. Quantitative cybersecurity risk assessments use known data, even if it is minimal. The models supplement the data with statistical algorithms, to create a risk model that better represents the real world.
A quantitative risk assessment allows for a transparent discussion. When people have different views, the quantitative risk assessment can help to isolate the key assumption. Then the organization can drive the discussion around the fundamental issues. More often than not, the organization can get on the same page regarding what they should prioritize.
In cases where a fundamental disagreement remains, it is easy to run “what if” scenarios providing a range of outcomes. This analysis can also lead to consensus on an issue. The result is a clear path to resolving an organization’s cybersecurity challenges.
The cybersecurity risk assessment result includes a prioritized list of risks to resolve. Often, the list has a small number of risks, with high impacts associated with them. The organization should select the top two, three or four risks, and focus its cybersecurity investment in these areas. This way, the organization effectively leverages its cybersecurity investment with high impact results.
You told me there wouldn’t be math on the test!
It turns out that a good cybersecurity risk assessment requires math. It’s okay because the risk assessment tool takes care of the math for you. It lets you put the business needs first.
You need to understand your assets’ value for a quality cybersecurity risk assessment. The business value of the assets is one thing that many risk assessments miss. They miss the most important element! When we have reviewed other risk assessments, we have found a focus on technical controls. This controls risk assessment often has good data. But it does not provide the organization with the value that they need to make good decisions.
We, at Fractional CISO, base our methodology on industry proven methods. The Factor Analysis of Information Risk (FAIR) process is a great one. Well a great one for large companies. They have a systematic way to measure risk. Unfortunately these cybersecurity risk assessments can cost hundreds of thousands of dollars. There are other methods like How to Measure Anything in Cybersecurity Risk. This is a terrific framework. It does not, however, have the disciplined vocabulary or classification system of FAIR. At Fractional CISO, we blend the best of both into the QuantiShield cybersecurity risk assessment.
QuantiShield is cost effective for medium-sized businesses. It follows a similar classification system to FAIR for a disciplined method. QuantiShield provides our medium-sized clients with a top notch cybersecurity risk assessment. Our clients can measurably reduce their risk.
Getting started with a quantitative cybersecurity risk assessment is easy. The risk assessment starts with a series of interviews and document exchanges. The assessor asks questions about your organization’s business goals, key assets and “what if scenarios.” The assessor also evaluates the consequences for losing information. Another key piece is learning what happens when systems or services are down for an extended period of time.
Once the assessor understands the value of the assets, data and systems, the next step is to evaluate the organization’s processes and controls. Soon enough, the assessor has a risk model, and a report, that can help drive positive change in your organization.
Are you interested in learning more about quantitative cybersecurity risk assessments? If so, we can be reached at (617) 658-3276 and our email is email@example.com.. We’ll be happy to help you get on a path to better cybersecurity decision making. We will provide qualified prospects with our complimentary quantitative cybersecurity risk assessment sample for you to get started with your risk management program.