Simply put, cyber risk quantification is the process of measuring IT and cyber risk exposure in monetary terms. It helps you determine which risks to focus on first, and where to allocate your cybersecurity resources for maximum impact.
Typically, cyber risk quantification uses sophisticated modeling techniques like Monte Carlo simulations to estimate the value at risk (VaR) or expected loss from risk exposure.
By quantifying the monetary impact of a risk event, you can confidently answer questions like “How much should we invest in cybersecurity?”, “What will be the return on investment?”, and “Do we have enough cyber insurance coverage?”
Risk quantification can benefit multiple stakeholders. CISOs gain a deeper understanding of risk impact which helps them make data-driven decisions. Boards have more visibility into what’s at stake for the business in terms of dollar value. And executives can effectively prioritize cybersecurity investments, driving alignment between cyber programs and business goals.
"Cyber risk quantification is now firmly established as a key innovation and indispensable value-add to integrated risk management and GRC. Organizations can make data-driven decisions based on risk exposure versus required investments. CISOs and CIOs can also communicate cyber risk exposure in financial terms to the C-suite. Security and risk professionals gain an efficient basis for allocating cyber security budgets and limited resources to prioritize mitigation efforts."
Risk quantification isn’t a new practice. But it’s receiving more attention these days because of the following reasons.
The UN reported a 600% increase in malicious emails during the pandemic. Cisco predicts that DDoS attacks will touch 15.4 million by 2023. Cybersecurity Ventures estimates that cybercrime will cost the world $10.5 trillion annually by 2025. All this means that we need to get smarter about how we assess, measure, and respond to cyber risks.
Businesses are increasingly adopting AI, IoT, robotic process automation, cloud apps, and other digital technologies to achieve their business goals. But all that digitization creates more entry points for cyber criminals to breach sensitive networks. If we want to stay ahead, we have to build a more accurate understanding of risk impact and likelihood.
Organizations face thousands of IT and cyber risks. The challenge is to figure out which risks to deal with first. Likewise, there may be hundreds of possible security controls. Which one will yield the most benefits for the least cost? These are questions that CISOs have to answer because their budgets are finite. Investments have to be allocated as efficiently as possible. That starts with quantifying the financial loss of a potential cyber risk. When you know how much the risk will cost you, and how much a particular control can help lower that cost, it becomes easier to decide where to direct security investments.
Cyber risks have historically been communicated in qualitative terms like “probably likely to occur” or “somewhat likely to impact the business”. But these terms often raise more questions than provide answers. What does “probably likely” mean? How is it different from “somewhat likely”? If resources are applied to a “probably likely” risk, how much risk reduction will be achieved? To answer these questions, we need more quantitative data.
"It is clear that organizations need solutions that protect digital workers while rapidly addresing the digital transformation and thwarting off increased cyber threats. Cyber leaders are beginning to realize that resilience is only one step towards managing risk. An integrated risk management approach enables visibility to real-time data to quantify risk and make more strategic business decisions."
By measuring and communicating cyber risks in monetary terms, you can:
No longer do you have to guess which IT and cyber risks to prioritize based simply on intuition or judgement. With properly quantified risk data, you understand the true impact and probability of a risk. You know where to focus your cyber investments, and how to reduce your risk exposure in line with business objectives. You’re less likely to over-react or under-react to potential risk events. Instead, you’re able to make calculated IT and cyber risk management decisions that yield optimal value.
When you express cyber risk exposure in clear and precise terms, you minimize uncertainty. There’s much less debate and confusion about what the top three cyber risks are, or why they’ve been ranked that way, or which controls are most relevant to mitigate those risks. The data is there for everyone to see.
Cybersecurity presentations to the board and leadership team can be filled with confusing technical jargon. Or, they fan the flames of FUD (fear, uncertainty, and doubt). But that doesn’t help with effective business analysis or decision-making. Quantification, by contrast, provides a more nuanced and easy-to-comprehend view of cybersecurity risks. Boards and executives can quickly understand the most critical and costly cyber threats facing their business. CISOs, in turn, can better justify the need for cybersecurity investments.
When you invest in a security control, you want to know how effective it is. Cyber risk quantification can help you understand how much risk reduction has been achieved with each control. If you find your risk exposure is still high, you can quickly re-direct your investments to another, better control. This way, your cyber risk mitigation efforts become more proactive and productive.
Cyber risk quantification helps you strengthen your cyber maturity and resilience. It gives you the insights to respond to cyber threats in a more targeted and cost-efficient way. That translates into improved customer trust and credibility. Companies using, or planning to use, quantitative risk assessment models are ahead in digital transformation, and have overall higher cybersecurity performance.
"Over the past three decades we have seen the evolution of market risk, credit risk, and operational risk. Cyber risk quantification is a natural extension of the qualitative assessments that organizations have already been doing as the factors involved are the same. We’re talking about the assets, the threats, the vulnerabilities, and the assessment of those vulnerabilities, and the controls that you have in place, to mitigate the risks and the losses."
Factor Analysis of Information Risk (FAIR™) is an international standard quantitative model framework to understand, analyze, and quantify cyber risks in financial terms.
With FAIR, you can quantify your security risk exposure in terms of the dollar value at risk. The framework helps you challenge and defend your risk decisions using an advanced risk model, while also determining how security investments will impact your risk profile.
FAIR can be used in tandem with other risk assessment frameworks such as NIST, ISO, and OCTAVE. While many of them rely on qualitative color charts or numerical weighted scales to assess risks, FAIR adds a quantitative dimension that makes risk assessments more holistic.
ISO 27005 acts as a guideline for information security risk assessments. It doesn’t outline a specific methodology, but it does imply continuous risk management based on the following components: context establishment, risk assessment, risk treatment, risk acceptance, risk communication and consultation, and risk monitoring and review.
NIST SP 800-53 was developed by the US National Institute of Standards and Technology (NIST) to establish common control assessment procedures for federal organizations. But many private organizations also use NIST to determine if their security controls are implemented correctly, operating as intended, and producing the desired outcome.
OCTAVE or the Operationally Critical Threat, Asset, and Vulnerability Evaluation was developed by Carnegie Mellon University for the Department of Defense. The new version, OCTAVE FORTE, helps organizations evaluate their security risks, and use ERM principles to bridge the gap between executives and practitioners. OCTAVE Allegro – which serves as a complement to OCTAVE FORTE – helps streamline and optimize security risk assessments.
COBIT® 5 was created by the Information Systems Audit and Control Association (ISACA) for enterprise IT governance. It enables a consistent and accurate assessment of IT risks and their impact on an organization.
Why Use Monte Carlo Simulation Models?
A Monte Carlo analysis is a powerful tool to help you model the probability and impact of different risk exposures in quantitative terms. It simulates a cyber risk event like a ransomware attack multiple times over, so that you can predict the financial losses that could result from each scenario – ranging from best-case, to most likely, to worst-case scenarios. Based on these insights, you can decide on the best approach to risk mitigation.
While many of the risk assessment frameworks covered above provide clear guidelines and procedures on how to measure cyber risks, here are a few best practices to get you started:
1. Establish a common risk language: If everyone in the organization has a different definition for IT asset, threat, or vulnerability, you’ll find it difficult to communicate and defend your risk decisions. Standardize the risk nomenclature as much as possible.
2. Involve other functions: Cyber risk quantification is a collaborative exercise that goes beyond the IT security department. Engage other divisions in identifying critical risk scenarios. The more perspectives you have at the table, the more comprehensive your risk data will be.
3. Revisit risk results periodically: Cyber risks and threats are always evolving. A risk that was critical a year ago may not be so anymore. The only way to know is to re-quantify your risks at regular intervals – maybe once or twice annually.
4. Start small: It’s neither efficient nor effective to cover all possible threats and risk scenarios at once. Pick one important use case and work on that first.
5. Automate wherever possible: Manual cyber risk quantification processes can be both complex and time-consuming. Find a solution that can help you automate workflows, and measure risks faster.
6. Remember, quantification isn’t a panacea: Cyber risk quantification should enhance, not replace other IT and cyber risk management processes. Its value is best realized when complemented with risk monitoring, qualitative assessments, internal audits, and issue management processes.
The Cyber Risk Quantification framework from MetricStream is designed to enable you measure, manage, and report cyber risk in monetary value. As the first use case from MetricStream Intelligence—a new flexible analytics and AI engine that encompasses multiple calculation engines, AI/ML, and data science capabilities--MetricStream’s Cyber Risk Quantification framework brings native capabilities for advanced Cyber Risk Quantification and Monte Carlo Simulation.
The framework is flexible to enable your organization to build homegrown models or adopt industry-standard models such as the FAIR model as well as other models. Presently, the FAIR (Factor Analysis of Information Risk) model is fast emerging as the standard methodology for cyber risk quantification and is widely recognized in the industry for calculating the value at risk for cybersecurity. With FAIR, asset-based risks can be quantified per their threat and vulnerability exposure leading to the calculation of the final dollar value at risk. In addition to supporting the FAIR model, MetricStream’s Cyber Risk Quantification framework supports other methodologies like ISO 27005, NIST SP 800-53, CMU OCTAVE, and COBIT 5.
MetricStream’s Advanced Quantification and Simulation enables users to build any kind of custom models, use various factors and variables, capture values for factors (e.g., threat event frequency) that are represented in a simple, parent-child hierarchal format. The accuracy of quantification can be further improved with a wide range of factors (e.g., Mix, Max, Most Likely, and confidence). Monte Carlo simulation can also be triggered by users to generate a range-based estimate and predict the probability of different outcomes for the Annual Loss Expectancy.
With MetricStream’s Cyber Risk Quantification framework, your organization will be able to power what’s next by equipping:
No organization can ever be fully invulnerable to threats and risk – but smart risk management and measurement will keep you a step ahead.