In this video from the 2018 FAIR Conference, Steve Reznik, Director, Operational Risk Management and Marta Palanques, Director, Enterprise Risk Management at ADP, one of the most advanced quantitative cyber risk management shops, show how to identify and track key risk indicators (KRIs) over time to judge the real success of your inforisk management efforts.
As Marta says, “You can’t be running simulations every day. That’s not practical or useful…KRIs should be helping you figure out if anything has significantly changed since the last time you made a decision, for good and for bad.”
Don’t confuse KRIs with other cybersecurity metrics like unpatched servers, audited vendors or NIST CSF efficacy level, Steve and Marta warn. These indicators should be directly tied to your loss exposure and by adjusting the factors up or down in the FAIR model, you should be able to see potential loss exposure change.
ADP uses the RiskLens Cyber Risk Quantification Platform for FAIR analysis and demonstrated a case study using the Sensitivity Analysis function of the platform to tweak the factors to see the effect on a baseline loss exposure. For instance, a decrease of one percent in vulnerability would reduce loss exposure by the same amount as by responding to an incident 10% faster.
“Sometimes this is eye opening in what is the best strategy to reduce a particular risk,” says Marta. “At the end of the day, the question is which of these risk factors could put you above your tolerance line and those are the ones you want to report on” – your cybersecurity KRIs.
Marta and Steve will be presenting on using FAIR to uncover KRIs at the upcoming RSA Conference.