Effective risk-based decision-making in cybersecurity often depends on the ability to quantify the risks in question. It requires some idea of the following:
- How much overall risk is reduced by spending on one project versus another.
- Which project or strategy reduces risk the furthest or fastest, if prioritized.
Quantifying cyber-risk, however, is not always easy or straightforward. The most rudimentary cyber-risk quantification approaches can result in shallow or misleading results, while more complex DIY methodologies may prove prohibitively cumbersome and time-consuming. Cyber-risk quantification tools can support security teams in making more sophisticated, informed and reliable decisions.
Cyber-risk quantification challenges
On the surface, quantifying risk looks easy: The following is the accepted formula:
Risk = Cost of event * Probability of event
But most organizations find it difficult to peg the cost of a hypothetical compromise, as well as the likelihood such an event will occur.
Some costs, however, are relatively simple to calculate. For example, if a ransomware attack bricked a hundred laptops, the cost would include replacing the laptops, as well as the labor associated with configuring and distributing them.
A little more murkily, the cost would also include lost productivity for staff, to whatever degree they depend solely on the laptops and to whatever degree any alternate method of working -- virtual desktop infrastructure via personal machines, for example -- is less productive.
And consider other categories of cost that are still more difficult to quantify: How much would the reputation of the company suffer if it were to fall victim to such an attack? What financial loss would that reputational damage cause? How would it affect new business or returning business, driving down revenues; stock prices, driving down valuation; or credit ratings, driving up interest rates?
Event probabilities can be even trickier to quantify. Again, consider ransomware: With no security controls in place, the likelihood of falling victim to such an attack is nearly 100%. But, with one defensive mechanism in place, what is the likelihood of an attack getting through despite it? It's even more challenging to justify the costs of adding supplementary risk mitigation tools or services.
A simple formula of uncertain terms
In practice, many organizations see all the uncertainties in the values inserted into the above calculations and conclude they are uncomfortable letting the results guide strategy and dictate purchases.
Often, security leaders are also leery of spending too much time and effort on any detailed cyber-risk quantification efforts. As a result, it's common to see rough-and-ready estimates of likelihoods and costs being high, medium or low, as well as the three-by-three grid used to guide efforts toward high-impact/low-cost projects or tools and away from high-cost/low-impact ones.
Some IT shops do go further, mainly on the costs side, using spreadsheets to conduct more detailed cost estimates. They typically use basic cost modeling methods -- e.g., remedial actions get priced out to include software, hardware or service costs required, plus however many hours of staff time times the salaries for the people involved, plus some generic productivity costs.
However detailed they get on the cost side, though, most teams' models still leave event probabilities vague and coarse-grained. "Low," for example, might mean 10% risk, "medium" might mean 30% and "high" might mean 60%.
How cyber-risk quantification tools can help
Enter cyber-risk quantification tools: They help cybersecurity programs get their arms around these challenges in multiple ways. Among other benefits, they provide the following:
- A consistent, structured framework for calculating costs, with more detail than most DIY spreadsheets, often based on the Factor Analysis of Information Risk (FAIR) taxonomy.
- Easy ways to reuse cost components across calculations.
- Ways to quantify productivity losses and other direct business impacts.
- Data on both costs and event probabilities based on other companies' experiences.
- Powerful simulation tools to help quantify risks, despite uncertainty regarding event probabilities.
5 cyber-risk quantification tools
Vendors offer a variety of cyber-risk quantification products and services to aid in cyber-risk management efforts. Among those suppliers are Axio360, Balbix, FortifyData, Safe Security and ThreatConnect.
The author chose to highlight these five tools based on independent research, prioritizing anecdotally prominent and well-established offerings with significant user bases. This list is organized alphabetically:
- Axio360. Axio360 is a cloud-based service that builds structured, customizable cyber event scenarios and cost calculations based on Monte Carlo simulations. It also supports what-if modeling, enabling users to compare the ROI of potential cybersecurity investments and how they affect risk metrics and the overall cybersecurity posture.
- Balbix. Balbix, another cloud platform, uses automation to ingest asset-level data from the IT environment -- e.g., items in a configuration management database, feeds from vulnerability assessment tools, etc. -- and analyzes their risk implications in near-real time. It also generates dashboards that communicate cyber-risk exposure in financial terms to help executive and operational stakeholders make informed business decisions.
- FortifyData. FortifyData measures internal risk by inventorying an organization's IT assets and processes and then applying that information to financial scenario calculations using the annualized loss expectancy cyber-risk quantification model.
- RiskLens. RiskLens -- now part of Safe Security -- offers a suite of cloud-based services based on the FAIR model. The RiskLens platform estimates how much a given cybersecurity initiative reduces risk in monetary terms and calculates relative scores, flagging projects with the best risk reduction ROI.
- Risk Quantifier. Threat Connect's cloud-based Risk Quantifier is an adjunct to its threat intelligence services. It offers automated risk modeling, integrating external data on probabilities, losses and costs. It can also frame recommendations in the context of multiple security frameworks, among them NIST Cybersecurity Framework and ISO 27001.
Comments
Post a Comment