Request a Demo

Risk Quantifier & FAIR

OpenFAIR is an internationally recognized standard for quantifying cyber risk. But executing a risk assessment using OpenFAIR is challenging, time consuming, and subjective in concept but difficult in practice. Building scenarios with OpenFAIR requires users to gather a lot of upfront data, make expert judgements around cyber attack scenarios and defenses, and project financial losses.

Running FAIR scenarios can be a great way to analyze ad-hoc events or out-of-band requests. But there are challenges associated with making FAIR operational

Subjectivity of Inputs

Overcoming challenges with FAIR is the key to seeing FAIR adopted at a wider scale in the industry and within companies that are using it today. RQ is introducing semi-Automated FAIR Scenarios that use automation to compute the Loss Event Frequency (LEF) portion of the FAIR taxonomy. Combine that with our Industry Loss data or your own Loss Magnitude projections and you have the ability to compute the financial impact of risk scenarios rapidly and at scale.

Time Required to Gather Data

Using RQ you overcome the challenges of scale and speed through a semi-automated FAIR scenario. The RQ risk engine uses a combination of open-sourced, closed-source and internal research to help compute the Threat Event Frequency and can leverage your own control related data or even Third Party data to help automatically calculate the Vulnerability. RQ runs a simplified kill chain analysis using data from a variety of sources to see what an attacker can do to the defenses you have in place.

Lack of Actionable Outputs

With semi-automated FAIR scenario’s, you can now provide actionable recommendations about what controls will best mitigate risk. No longer do you have to just put in charts or graphs to communicate your risk exposure, you can now show that and also highlight a plan for what control improvements will allow for the largest risk reduction in your organization. Paving the way for the right conversations to be had.

A Better Approach To OpenFAIR

ThreatConnect Risk Quantifier

RQ’s approach to OpenFAIR

  • RQ provides pre-populated loss magnitude data that’s based on industry losses. Users can choose our data or tune our values based on their environment
  • RQ computes how likely an attacker is to beat your defenses (Vulnerability node in FAIR) based on your actual defenses and attack path modeling
  • RQ provides outputs that show you which control, or defense, you should improve to mitigate the risk based on financial risk reduction, making FAIR actionable
FAIR Framework RQ Automated

FAIR with Automation

RQ is introducing semi-Automated FAIR Scenarios that use automation to compute the Loss Event Frequency (LEF) portion of the FAIR taxonomy. Combine that with your Loss Magnitude projections and you have the ability to compute the financial impact of risk scenarios rapidly and at scale.

Our Results

Defensible

Most organizations don’t have a large corpus of loss data to work with, and when they embark on a CRQ journey, they have to execute a time consuming, subjective process. To use the semi-automated FAIR scenarios in RQ all you need to bring are your control ratings – we bring data to the table and combine them with our attack modeling. We analyze losses from across industry to build a “cohort” of loss data based on industry and company size that you can use in your FAIR scenarios – if you choose.

Timely

Gathering data for a CRQ effort can be time consuming. Customers who use RQ see results in hours, and spend time working on mitigating risk instead of modeling risk. Creating a semi-automated FAIR scenario in RQ is simple – all you have to do is use your control data or 3rd party scan data to run an automated analysis. Outputs are delivered in minutes and you can start communicating in a defensible manner the same day you start your analysis.

Actionable

RQ provides actionable, data driven output both on the financial side and on the mitigation side. Using pre-analyzed loss data reduces the uncertainty in the output. And RQ’s approach to mitigations enables you to answer the question of “what should I do to prevent this incident” in financial terms, not subjective guesses.

RQ Automation + Machine Learning

Evolution, not Revolution

RQ enables OpenFAIR practitioners to leverage their existing data and processes to model risk as they have been doing while providing a way to automate and scale the most challenging parts of making the OpenFAIR standard.

RQ provides the ability to integrate with a variety of tools, including: GRC, Vulnerability scanners, CMBD’s and others. It gives you an aggregated view of risk by business unit, application and business process so you can manage your risk across the organization and at multiple levels. All of these features combined evolves your application of the OpenFAIR standard in a way that is scalable, whether you are looking to start your cyber risk quantification journey or expanding your program into other areas. RQ allows you to take a data driven approach to risk that is actionable and can be almost completely automated.