Posted
Cyber Risk Quantification should be part of any Risk Management program because quantifying risk enables better business and cybersecurity decision-making, in addition to increasing need driven by frameworks and regulations, such as the proposed changes to NIST Cybersecurity Framework 2.0 and the recent US SEC Cybersecurity Rules. Given my past experience both working in & consulting for a variety of industries and organizations, this is even clearer now than the “A HA!” moment I had so many years ago when I was first introduced to risk quantification.
Throughout the years, I found myself becoming annoyed and frustrated with how risk professionals were trying to provide “value” within their risk management programs without actually quantifying risks. They were trying to talk about risk, saying something like, “Our reputational risk is high (or a five on an ordinal scale); therefore, we need to buy this tool to reduce it.” What does that even mean? A few questions that come to mind:
- What do qualitative, ordinal scales like high, medium, and low really mean?
- How much risk will be reduced if we spend money on it?
- How do I know if my risk has actually been reduced? How do I demonstrate that to business stakeholders?
Thankfully, over the years, I have learned about risk quantification. However, now another problem has arisen. Risk quantification has been synonymous with Factor Analysis of Information Risk (FAIR). FAIR is a heavy lift for a lot of organizations. Sure, there are software companies that try to make doing FAIR easier, but it still relies heavily on inputs from subject matter experts (SMEs). This hasn’t made it easier to achieve the goal of leveraging risk quantification to enable better decision-making. This is mainly because of the time it takes to scope out the problem (or scenarios), talk to the right people, ensure that how loss can happen in the scenario is understood, obtain accurate ranges for both frequency and magnitude and then figure out how a control improvement will reduce your risk. It’s cumbersome, time-consuming, and challenging to defend.
ThreatConnect’s Risk Quantifier (RQ) helps make cyber risk quantification easier and accessible to organizations that lack the resources to have risk quantification SMEs, data scientists, etc. You may be thinking, how?
I’ve put together this chart to explain:
| Instead of… | The platform… |
| The risk professional manually triaging and scoping scenarios/loss events that affect your organization | Leverages AI and machine learning to determine the biggest risks against your attack surface without having to be dependent on having SME’s |
| The risk professional estimating an individual control’s effectiveness and trying to determine what type of control it is (avoidance, deterrence, resistive, responsive) | Automatically applies the knowledge of your controls to the scenario and provides recommendations on how to reduce your risk exposure |
| The risk professional trying to guesstimate what the frequency and probability of your scenario should be | Uses a combination of attack path modeling and industry data to automatically determine the probability of an attack occurring in your environment |
| The risk professional trying to determine the impact of the vulnerabilities in your environment in qualitative terms | Will calculate how much exposure in financial terms your environment has to individual CVE’s* |
*Vulnerability scanner data required
Want to learn more? You don’t have to take my word for it, check out our interactive tour of Risk Quantifier or reach out to speak with one of our CRQ experts to schedule a demo to find out for yourself.