The creator of Factor Analysis of Information Risk (FAIR™), the standard for cyber risk quantification (CRQ), and an honored thought leader in cybersecurity, Jack Jones has written the definitive guide to the wide range of tools and processes available to cyber risk managers looking for quantitative solutions.
Here’s a sampling – Jack’s assessment of the merits and limitations of three popular approaches: Security ratings presented like credit scores, maturity models and threat analysis.
(Get some background in What Is Cyber Risk Quantification (CRQ)? a blog post by Jack.)
Credit-like Scoring of Cybersecurity Posture
Consistent results make this the most reliable means of benchmarking organizations against each other and evaluating third-parties for security, and can be excellent at identifying missing controls. Boards and non-technical managers like the simplicity of the scores.
These security ratings don’t measure risk and may be misleading: A score of 742 implies less risk than a score of 581 but we don’t know how much less. The precision of the ordinal numbers doesn’t account for the inevitable uncertainty in the underlying data. Finally, these solutions typically only have access to internet-facing data (SSL certificates, scan results, traffic analysis, etc.), an incomplete picture.
Maturity Model Assessments
Score an organization’s level of compliance with a checklist of specific processes within a risk management program, based on CMMI or another formal model.
If well-designed, these models can identify deficiencies and track program progress over time.
A maturity assessment does not describe how much risk an organization has, and the numeric scales used to represent maturity don’t count as cyber risk quantification or offer the benefits of CRQ, such as prioritizing risks for treatment based on loss exposure.
Threat Analysis Models Such as DREAD and STRIDE
Formal models to evaluate an organization’s threat landscape.
Highly valuable for identifying and mitigating vulnerable conditions in software, technology architecture and processes. Also provide useful data on threat event frequency and threat actor capability for FAIR analysis.
Because they focus on threat, vulnerability, and particularly external attacks these solutions often miss other critical risk factors, such as human error (data breach by a mis-directed email, for instance). And like so many other solutions out in the marketplace, they generate numeric scores that shouldn’t be mistaken for cyber risk quantification.