Read the entire blog post series on automating cyber risk quantification.
Sources of data that can be used to support CRQ include, but aren’t limited to:
Clearly, this list is not comprehensive. The point is that data are available to support CRQ — hypothetically even automated CRQ. There is, however, a caveat. The model needs to apply the data appropriately. As I said earlier — especially with controls data — this is the thorniest problem of all.
So, can CRQ be automated? Yes, if:
If you can’t check all three of those boxes, then analyses results will not be accurate. At scale. And don’t fall victim to the misperception that, “Well, the numbers are close enough.” Sometimes they may be, but many times they won’t be — and you won’t know which is which.
With that in mind, one of the challenges potential buyers face is validating the numbers they see in a product demo. After all, it’s very easy to cherry-pick analyses that demonstrate reasonable-looking results. That is a topic I’ll address in a future blog post.
In the meantime, everyone needs to keep in mind that CRQ is a new discipline and market. Consequently, it’s easy for solution providers to dive into the deep end without understanding some of the important but subtle difficulties of the problem space. It’s also easy for potential customers to be bedazzled by eye candy and good marketing stories, all the while trusting that vendors have done their homework. But vendors have a responsibility to do no harm, and buyers have a responsibility to be very skeptical of “Easy Buttons” in new disciplines like CRQ that can lead to poor decisions — at scale.
Read the entire blog post series on automating cyber risk quantification.
Read Jack’s Buyer’s Guide for Cyber Risk Quantification