Download now: Understanding Cyber Risk Quantification: A Buyer’s Guide
FAIR Institute Contributing Membership required to download. Join now!
Watch Jack Jones discuss the Buyer’s Guide in a webinar on demand (FAIR Institute Contributing Membership required). Watch now!
“Industry Data”
Some CRQ providers claim that the data applied in their cyber risk analysis is similar to the actuarial data used in mature insurance domains like property and casualty or life. “The bottom line is that although the availability of data is slowly improving, it’s a long way from being anywhere near the quality of standard insurance actuarial data,” Jack writes and “if improperly applied, even decent industry data can generate unreliable risk measurements.”
“Eliminate Guessing”
Vendors may claim that their solutions “eliminate guessing,” meaning their algorithms have eliminated the need for judgments by your subject matter experts, for instance on the scope of risk analyses or the ranges of data inputs. Remember that automating analysis shifts those judgements from your organization to the algorithm and “you should dig very deeply into how they fulfill that promise because this is where shortcuts and gross errors occur,” Jack writes.
Proprietary Algorithms
Simplistic Aggregation
For an overall picture of risk, some solutions just add up the loss exposures from multiple risk scenario analyses, without accounting for overlaps or dependencies among scenarios, with predictably unreliable results.
Spreadsheets
Nothing is inherently wrong with using spreadsheets for cyber risk quantification, Jack writes, as long as the analyst understands the limitations, such as no secure data storage, potential miscalculation as spreadsheets are used over time, accidental alterations in formulas and more hazards.
In Conclusion...Look for these 3 Hallmarks of Good CRQ Solutions:
Download now: Understanding Cyber Risk Quantification: A Buyer’s Guide
FAIR Institute Contributing Membership required to download. Join now!