As a relatively new discipline within cybersecurity, cyber risk quantification isn’t well-understood by many within the profession. Amongst other things, there is confusion about what CRQ is (and isn’t), and why it matters. The objective of the updated version of my white paper Understanding Cyber Risk Quantification: A Buyer’s Guide is to provide the profession with clear and consistent answers to these and many other common questions.
Jack Jones is the creator of the FAIR model, the international standard for cyber risk quantification. and author of the definitive text Measuring and Managing Information Risk: A FAIR Approach.
Description of Cyber Risk Quantification
>>Cyber risk quantification uses (obviously) quantitative values as inputs, and produces quantitative values for the probability of cyber loss events and their impacts. For example, loss event probability is expressed as a percentage (e.g., 10% probability of occurrence in the next 12 months) or a frequency (e.g., two times per year). Magnitude is expressed as a loss of monetary value (e.g., $1.5M).
>>These values can (but don’t have to) be combined to express risk as an annualized amount (e.g., $150,000).
But even this simple description is often misunderstood, as many within the profession mistake numeric ordinal values (e.g., 1 - 5 scales, CVSS scores, credit-like scoring, etc.) as quantification. In the guide, I explain the difference, as well as the capabilities and limitations of ordinal scoring.
Note: In FAIR analysis (or any credible risk analysis), risk is always expressed as a range of probable outcomes. An integral part of FAIR analysis is Monte Carlo simulation to calculate the range of loss exposure (in dollar terms) of the modeled risk scenarios and produce the final results.
The fact that our profession is a bit confused by CRQ shouldn’t be a surprise or a reason to avoid using it. In fact, it’s helpful to recognize that this approach to quantifying risk is fundamentally no different than well-established methods used in other fields such as credit risk, market risk, and insurance. Furthermore, those risk domains had similar challenges and confusion in their early use of quantification, which they’ve successfully navigated through. We will too.
Value of Cyber Risk Quantification in Risk Management
A key point I make in the guide is that “Measuring risk isn’t the goal. Risk measurement, whether quantitative or qualitative, is performed so that decisions can be well-informed.”
This fundamental objective – enabling well-informed decisions – should be considered the key criterion for evaluating any risk measurement approach (whether qualitative or quantitative). In the guide, I discuss many of the more specific use-cases where CRQ supports this objective, including:
>>Prioritization among risks based on financial exposure to an organization.
>>Cost/benefit analysis of mitigations based on risk reduction in financial terms.
>>Reporting to business management in the common language of business: money.
And in general, improving the ability to explain or defend risk management decisions.
If you’re new to the idea of CRQ, I encourage you to get your questions answered by downloading Understanding Cyber Risk Quantification: A Buyer’s Guide (a FAIR Institute Contributing Membership required to download. Learn more about FAIR Institute membership.)
Even if you’re a long-time CRQ pro, you may find the material useful when discussing the topic with others. It includes frequently asked questions about risk data, analytics and reporting, as well as red flags to watch out for.
Join Jack Jones for a webinar on Understanding Cyber Risk Quantification. Thursday, March 30, 2023, at 11 AM ET.