Are your risk analyses suffering from scope creep, uncooperative SMEs, unbelievable results? Or are you just looking to make your well-oiled quantitative risk analysis process run even more smoothly? Well, the risk doctors are in, with tips drawn from our FAIR Institute blog posts.
Setting Up a Risk Analysis
1. Keep the risk scenario statement simple. The starting point for any FAIR™ analysis is a statement that describes a loss event as a threat actor impacting an asset. Best practice is to keep it simple and direct, as in “Analyze the risk associated with malicious external actors breaching the confidentiality of sensitive company data accessible on a lost/stolen mobile device.” Blog Post: How to Clearly Define a Risk Scenario Statement
2. Understand how your organization makes and loses money so your risk scenario and the resulting analysis fulfill a real business need. Read more.
3. Focus on the most probable loss events, not the merely possible, in defining your scenario. Read more.
Learn about FAIR training. Contact the FAIR Institute’s FAIR Enablement Specialists team.
Collecting and Crunching Data for Risk Analysis
4. Stick to the scope of your risk scenario. You’re going to run your risk scenario statement through a roadshow, collecting data from subject matter experts, and you’ll need to keep them on point. Write the statement in your emailed meetings requests and, at meeting time, write it on a whiteboard in view of all the participants. Blog post: 4 Rules for a Successful Quantitative Cyber Risk Analysis
5. Never leave a data gathering session without getting an estimate (in a range) from the SME for the relevant factor of the FAIR model (strength of controls, response cost or whatever). Keep the momentum going. You can always refine the range later. Read more.
6. Conduct research and data gathering at a high level to avoid diminishing returns. Remember, the goal in FAIR is “accuracy with a useful level of precision.” Read more.
Completing and Presenting Risk Analysis
7. QA analysis results with common sense. Yes, FAIR can produce surprising results when assumptions about risk exposure come up against quantitative risk analysis. But don’t blindly love the numbers. If the calculations are forecasting several times the organization’s financial capacity for loss, go back and check your data. Blog Post: Common Sense: The Underrated Skill in FAIR Analysis
8. Disclose your confidence level. You will run into situations where you can’t get good data, and should be up front about that in your rationale recording the details of your analysis. FAIR analysis accounts for low confidence by producing wide, flat distributions of results in Monte Carlo simulation, reflecting that estimates were in wide ranges. Read more.
9. When presenting results, know your audience. Are you speaking to a CIO or CFO or a board member? Have they seen quantitative cyber risk in action before or are they used to hearing about risk in general, high/medium/low terms? Adjust accordingly. You may want to show off your dazzling analysis work, but remember, the presentation is about them, not you. Read more.