5 More Red Flags when Evaluating a Cyber Risk Quantification Provider (CRQ Buyer’s Guide)

Red Flag 2 - CRQ Buyers GuideDon’t sign up for a cyber risk quantification solution before reading the definitive consumers report on the CRQ marketplace by Jack Jones, creator of Factor Analysis of Information Risk (FAIR™). Jack breaks down all the claims that you’ll hear from vendors in this increasingly crowded field in clear and non-technical language and gives advice to find a solution that doesn’t just quantify but provides reliable guidance for business decision-making.  Here are five buyer-beware categories – and read about six other red flags for CRQ shoppers in another blog post.

Download now: Understanding Cyber Risk Quantification: A Buyer’s Guide 

FAIR Institute Contributing Membership required to download. Join now!

Watch Jack Jones discuss the Buyer’s Guide in a webinar on demand (FAIR Institute Contributing Membership required). Watch now!

“Industry Data”

Some CRQ providers claim that the data applied in their cyber risk analysis is similar to the actuarial data used in mature insurance domains like property and casualty or life. “The bottom line is that although the availability of data is slowly improving, it’s a long way from being anywhere near the quality of standard insurance actuarial data,” Jack writes and “if improperly applied, even decent industry data can generate unreliable risk measurements.”

“Eliminate Guessing” 

Vendors may claim that their solutions “eliminate guessing,” meaning their algorithms have eliminated the need for judgments by your subject matter experts, for instance on the scope of risk analyses or the ranges of data inputs. Remember that automating analysis shifts those judgements from your organization to the algorithm and “you should dig very deeply into how they fulfill that promise because this is where shortcuts and gross errors occur,” Jack writes.

Proprietary Algorithms

CRQ Buyers Guide 3Jack’s creation, Factor Analysis of Information Risk (FAIR™), is an open, standard methodology that’s been validated by The Open Group, a worldwide organization for cyber risk and security professionals. The NIST Cybersecurity Framework lists FAIR as an “informative reference” for risk assessment and risk management strategy. Proprietary (or “black box”) models from vendors are neither of those things. They may be as good as FAIR – but how would you know and more importantly how could you explain them to your stakeholders?


Simplistic Aggregation

For an overall picture of risk, some solutions just add up the loss exposures from multiple risk scenario analyses, without accounting for overlaps or dependencies among scenarios, with predictably unreliable results. 


Nothing is inherently wrong with using spreadsheets for cyber risk quantification, Jack writes, as long as the analyst understands the limitations, such as no secure data storage, potential miscalculation as spreadsheets are used over time, accidental alterations in formulas and more hazards.

In Conclusion...Look for these 3 Hallmarks of Good CRQ Solutions:

  • Clear scoping of loss event scenarios
  • A well-designed and validated analytic model  
  • Appropriate use of data

Download now: Understanding Cyber Risk Quantification: A Buyer’s Guide 

FAIR Institute Contributing Membership required to download. Join now!

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37