.jpg?width=250&height=166&name=News-Cyber-Risk-Analysis-1-768x511%20(1).jpg)
Cyber Risk Quantification (CRQ) is a process that helps organizations to measure and manage their information security risks in monetary values to determine which risks to focus on first, where to allocate cybersecurity resources and to understand how cyber risk specifically affects potential revenue, profit, and other measures of financial success.
This post is by Jack Whitsitt of Ostrich Cyber-Risk, a sponsor of the FAIR Institute.
Read the announcement of the Ostrich sponsorship.
Learn more about Ostrich and its Birdseye cyber risk management solution.
Despite the clear benefits of CRQ that also includes putting risk into business terms, clarifying risk drivers, illuminating control requirements, reducing uncertainty, and providing clear “security objectives”, many organizations are intimidated by the perceived complexity. Common concerns revolve around not having enough knowledge, the apparent effort involved, and a desire for an uncomplicated answer to security questions.
Write-ups from organizations like Gartner™ support the effort to prioritize and communicate risk with CRQ, stating that:
“Faced with increasing board scrutiny and executive demand for cybersecurity services, security and risk management (SRM) leaders are turning to cyber-risk quantification (CRQ) to communicate risk, aid enterprise decision making and prioritize cybersecurity risks with greater precision.” -Gartner™
While we agree with Gartner™ that trusted analysis, timely delivery of analysis, and guidance that empowers decision makers are key factors in long term CRQ success, we believe that this advice may inadvertently contribute to the perception that high levels of maturity are necessary for CRQ success.
Fortunately, the apparent complexity of CRQ is actually a clear indication of its value–not of potential insurmountable roadblocks. Robust, trusted CRQ approaches like Open FAIR™ allow organizations to manage the complexities of risk assessment head-on with minimal up-front effort. The impression of CRQ complexity is driven by the fact that past, more traditional approaches often obscure or avoid dealing with some of the necessary nuance to rigorous risk assessment and analysis.
Limitations of traditional risk assessments
Frequent examples of past, more traditional risk assessment and analysis approaches include failing to consider the uncertainty of risk, use of numbers without measurement rigor (e.g., weightings without context), focusing on an incomplete set of risk factors, making vague assumptions and generalizations, not requiring decision-makers to reach a structured consensus on the more subjective elements of risk, and failing to describe risk in terms of actual, tangible consequences.
These limitations can lead to organizations with competing priorities to make erroneous conclusions with a false sense of confidence in risk scores while suffering from unnecessary operational inefficiencies.
If you’ve ever seen a risk heat map, a single “number” for a “risk score”, “vulnerability” used as a stand-in for “risk”, an assessment that describes exposure today and not exposure over time, or a risk assessment that requires users to estimate risk without providing appropriate cue questions, you’ve likely seen examples of these limits.
Unfortunately, while these limitations may (seem to) simplify the process of assessing and analyzing risk, that simplification comes at the cost of decision quality and has the potential to not only increase your risk by failing to provide information of sufficient quality, but to do so in a way that provides a false sense of confidence.
How CRQ addresses these limitations
CRQ addresses these issues by applying tools and concepts that ensure a complete consideration of all risk factors, targeted estimates with more explicit assumptions, the expression of uncertainty via ranges, the use of actual units like events per year or dollars per event, and the development of an organization's "theory of risk" based on the combination of knowledge, experience, and data within that organization.
For example, simply referring to the Open FAIR™ Ontology provides an opportunity to come to a consensus on risk drivers and risk reduction opportunities. The ontology itself encourages questions about concerns such as: Is it a loss magnitude driven risk? Is it a loss frequency driven risk? Is there a contract frequency problem? Is reputational loss even a consideration? Etc.
Further, the use of ranges provides a significant opportunity for organizations to capture and describe their risk visibility, to take advantage of limited examples by estimating different possibilities *implied* by those examples, ruling out things that will not happen, etc.
Wrap-Up
Getting started with CRQ may seem daunting, but it is easier than you think:
-
The first step is to accept that perfection is not achievable and that bounding and describing the uncertainty from imperfection is a key value of CRQ.
-
The next step is to choose a CRQ tool that fits your organization's needs, and to begin using it to assess the uncertain future with the knowledge and information you have available.
-
Finally having a tool can help you navigate that journey and get started taking advantage of common techniques to make your initial forays into CRQ relatively quick and easy.
As time goes on and the power of CRQ becomes apparent to you and your organization, you can build towards the Gartner™ ideal state of trusted, timely analyses that provide guidance which empowers decision makers.
Please contact Risk Quantification Expert Jack Whitsitt directly for any questions and CRQ guidance.
