For example:
>>Cyber risk quantification uses (obviously) quantitative values as inputs, and produces quantitative values for the probability of cyber loss events and their impacts. For example, loss event probability is expressed as a percentage (e.g., 10% probability of occurrence in the next 12 months) or a frequency (e.g., two times per year). Magnitude is expressed as a loss of monetary value (e.g., $1.5M).
>>These values can (but don’t have to) be combined to express risk as an annualized amount (e.g., $150,000).
But even this simple description is often misunderstood, as many within the profession mistake numeric ordinal values (e.g., 1 - 5 scales, CVSS scores, credit-like scoring, etc.) as quantification. In the guide, I explain the difference, as well as the capabilities and limitations of ordinal scoring.
Note: In FAIR analysis (or any credible risk analysis), risk is always expressed as a range of probable outcomes. An integral part of FAIR analysis is Monte Carlo simulation to calculate the range of loss exposure (in dollar terms) of the modeled risk scenarios and produce the final results.
The fact that our profession is a bit confused by CRQ shouldn’t be a surprise or a reason to avoid using it. In fact, it’s helpful to recognize that this approach to quantifying risk is fundamentally no different than well-established methods used in other fields such as credit risk, market risk, and insurance. Furthermore, those risk domains had similar challenges and confusion in their early use of quantification, which they’ve successfully navigated through. We will too.
This fundamental objective – enabling well-informed decisions – should be considered the key criterion for evaluating any risk measurement approach (whether qualitative or quantitative). In the guide, I discuss many of the more specific use-cases where CRQ supports this objective, including:
>>Prioritization among risks based on financial exposure to an organization.
>>Cost/benefit analysis of mitigations based on risk reduction in financial terms.
>>Reporting to business management in the common language of business: money.
>>Risk aggregation
And in general, improving the ability to explain or defend risk management decisions.
If you’re new to the idea of CRQ, I encourage you to get your questions answered by downloading Understanding Cyber Risk Quantification: A Buyer’s Guide (a FAIR Institute Contributing Membership required to download. Learn more about FAIR Institute membership.)
Even if you’re a long-time CRQ pro, you may find the material useful when discussing the topic with others. It includes frequently asked questions about risk data, analytics and reporting, as well as red flags to watch out for.
Join Jack Jones for a webinar on Understanding Cyber Risk Quantification. Thursday, March 30, 2023, at 11 AM ET.