Organisations are growing in different technologies day by day, in this growing fast landscape, cybersecurity is much more than just meeting regulatory requirements and having cyber response plans in place with 24/7 monitoring. It’s beyond security controls and management of security related activities, it’s about quantifying the risks reported to understand the financial impact to business and help businesses take effective decisions to reduce risks. Board of directors, executive and different stakeholders are looking for a quantifiable risk which can be measured and invested in the right place based on the measurable risks reported.
Cyber risk quantification is a model which is designed predominantly to analyse, measure, and arrive at a value to the identified risks to take better business decisions effectively. Putting the intangible nature of ‘risk’ into tangible business contexts and financial values to prioritise and mitigate the gaps identified in the risk platform. Cyber Risk Quantification (CRQ) is the process of evaluating the potential financial impact of a particular cyber threat or a cyber risk that’s happened in the past or reported recently.
Cyber risk quantification uses leading robust models to describe the highly vulnerable threats, risks, and technology-based risks available more accurately in the organisation. An evolving approach designed to help organisations to proactively assess, measure and quantify the level of risks emerging/existing within the organisation. Cyber risk quantification is used to estimate and calculate key financial risk metrics, such as value at risk or expected loss to help the organisations to take better decisions and invest in the right set of security controls to safeguard the data.
Some of the metrics that are considered when cyber risks are quantified include:
- Operational Risks
- Risk Rating including RTO, RPO, MTTD, MTTC etc.
- Time taken to mitigate a risk
- Cyber Threats capability
- Risk exposure and Probability of identified risks
- Risk mitigation and risk resilience
- Damage Cost
The Factor Analysis of Information Risk (FAIR) Model for Cyber Risk Quantification is one of the leading risk methodologies which can help in quantifying the risks and reporting the risks to the stakeholders. The FAIR model quantifies cyber risk exposure as a dollar value, rather than a criticality value. The FAIR model helps in rising the effectiveness of existing enterprise risk management frameworks and brings in a common language to make the business understand the potential financial impacts of different cyberattack scenarios and threats to take effective decisions to overcome the evolving vulnerabilities.
To support a unified implementation of Cyber Risk Quantification, the FAIR model is developed to naturally integrate with existing cybersecurity frameworks such as ISO, OCTAVE, and NIST to identify the tangible/intangible risks prevailing in the environment and reduce risks.
Cyber Risk Quantification using FAIR Model
Threats + Vulnerabilities -> Values at Risk
5 Best Practices for Cyber Risk Quantification
The most important benefit of conducting cyber risk quantification is the ability to scale, measure and track the progress over time. Some of the best practices recommended while doing cyber risk quantification are as follows –
a) Define – Teams must define the scope, coverage and expectations of the cybersecurity efforts that needs to be calculated and quantified should be well documented to avoid confusions.
b) Establish an objective to execute CRQ – Teams need to be communicated and aware about the cyber security policies, standards and requirements to be aligned to the context of Cyber Risk Quantification.
c) Risk assessment – Conduct Risk Assessment on an ongoing basis by assigning risk criticality ratings for all the assets, applications, tools, critical processes and determine the probabilities that each will be impacted by a cyber-attack.
d) Document – Need to document all records and activities involved over time to help the organisation to take the decisions effectively without gaps.
Focus on high priorities – Should categorise the type of risks and narrow the focus on cyber threats considering the highest damage to the organisation.
The challenges faced by the organisations on the risk side are increasing day by day and the qualitative risk assessments which have been in practice in majority of places will not serve the purpose of quantifying the risks. Quantitative risk analysis helps the organisations to figure out which risks to deal with first and which one needs more focus to protect the environment. Organisations should identify the threats that could compromise the security and privacy of the assets and data to take the right decision to safeguard the environment and reduce unexpected financial damages.
Cyber Risk Quantification empowers organisations to enable their cyber security posture through a financial lens, justifying their cyber security investments, improving communication across key stakeholders and to make better decisions related to mitigation efforts and security investments based on the financial impact.
The goal of cyber risk quantitative analysis is to present the risk data accurately and help businesses make conversant decisions on investing in the right place and focus on the critical risks in a timely manner to scale up the protection of data and assets. While thinking of adapting to new methodologies and patterns to reduce risk in the current organisation, it’s also important to eradicate growing risks, reducing the complications, looking through a financial lens and improving the efficiency of controls to improve the overall security of the organisation.
Views Expressed by: Kavitha Srinivasulu, Global Head Cyber Risk & Data Privacy- BFSI R&C, TCS