Edward Kost

 The threat landscape is expanding and security professionals are barely keeping up. On a daily basis, CISOs and cybersecurity staff need to contend with new malware variants, data breach attempts, ransomware attacks, zero-day exploits – all while ensuring uninterrupted dedication to vendor risk mitigation efforts.

With so many cyber threats testing your cyber resilience at once, where should you focus your cybersecurity efforts?

One method is to assign each risk a criticality rating to help security teams prioritize risks that are most detrimental to security postures.

While this does offer a significant level of protection against data breaches, security professionals may still struggle to decide which threat to address first if multiple are assigned the same criticality level.

A more effective approach would be to compare the potential financial impacts of each cyber threat and the probabilities of their occurrence – a strategy known as Cyber Risk Quantification.

Cyber Risk Quantification supports the design of a cybersecurity program focused on minimizing potential financial impact, addressing the rising costs of data breaches, while also giving stakeholders a greater appreciation for protection efforts.

What is Cyber Risk?

The definition of a cyber risk is best derived from one of the most popular frameworks used for risk quantification, the Factor Analysis of Information Risk (FAIR).

The FAIR model defines a cyber risk as:

The probable frequency and probable magnitude of future loss.

According to this definition, each cybersecurity risk has three dependencies:

An asset of a given value

A threat to the integrity and safety of that asset

The potential impact when that threat is compromised

When these variables are incorporated into a predictory model and boundary conditions are introduced, a numerical value known as a cyber risk quantification is obtained.

What is Cyber Risk Quantification (CRQ)?

Cyber Risk Quantification (CRQ) is the process of evaluating the potential financial impact of a particular cyber threat.

Quantifying cyber risks supports intelligent decision-making, helping security professionals make informed decisions about which threats and vulnerabilities to address first.

But the CRQ process is more than just assigning each cyber risk a criticality rating. What makes this classification model unique is the consideration of financial risk.

Decision-makers and security leaders speak in a language of financial terms, not cybersecurity terminology. The CRQ risk model bridges the gap between management and security professionals, helping stakeholders appreciate the value of their security investments without requiring prolonged explanations of esoterics.

Some of the metrics that are considered when cyber risks are quantified include:

Operational risk

Risk reduction efforts

Risk exposure

Risk mitigation

The Factor Analysis of Information Risk (FAIR) Model for Cyber Risk Quantification

The Factor Analysis of Information Risk (FAIR™) is one of the leading methodologies for cyber risk management developed by the FAIR Institute – a non-profit organization committed to the reduction of operational risk.

The FAIR model quantifies cyber risk exposure as a dollar value, rather than a criticality value.

By appealing to an objective metric that resonates with all sectors of a business – dollar value at risk – the FAIR model describes cybersecurity efforts in a common language everyone can understand, helping all departments align with cybersecurity initiatives.

The FAIR model fills the gap left by existing enterprise risk management frameworks. Though most cyber risk assessments, such as those from NIST and ISO, effectively communicate the need for specific security controls, they expect organizations to complete their own financial analysis to determine the potential financial impacts of different cyberattack scenarios.

Cybersecurity frameworks help organizations assess and track the maturity of their security posture, the FAIR model extends this development by quantifying the potential impacts to suggested security controls and processes to support smarter business decisions.

To support a seamless implementation, the FAIR model has been developed to naturally integrate with existing cybersecurity frameworks such as ISO, OCTAVE, and NIST.

The FAIR model quantifies risk by considering the probable magnitude of a financial loss and the probable frequency of financial loss in a given scenario. The combination of these two factors allows each cyber risk to be assigned a unique dollar value.

To translate this data into a projection everyone can understand, a Monte Carlo simulation is used to visually represent the financial impacts of each cyber risk. This final projection is usually a curve indicating the varying probability of financial losses over a given time frame.

By attributing a dollar value to potential risk scenarios, future investments into information security technology can be easily justified to business leaders.

If a slightly more in-depth analysis of the damage potential of a cyber threat outside of financial impact is required, the DREAD framework can be implemented. There are 5 primary categories of the DREAD threat model:

Damage potential – What is the possible degree of damage?

Reproducibility – How easy is it to reproduce the intended cyberattack?

Exploitability – How much effort is required to launch the intended cyberattack?

Affected users – How many people will potentially be impacted?

Discoverability – How much work is required to discover the threat

The DREAD model assigns each cyber threat with a rating between 5 and 15. The criticality levels are distributed as follows:

Low risk – levels 5 to 7

Medium risk – levels 7 to 11

High risk – levels 12 to 15

Rather than overlaying the FAIR model with an additional threat analysis model, an even deeper degree of cyber threat insights can be instantly gathered from security ratings and vendor tiering practices.

5 Best Practices for Cyber Risk Quantification

To experience the greatest value from cyber risk quantification efforts, the following best practices should be followed:

1. Develop internal and third-party risk profiles

Create cyber risk profiles summarizing threats impacting your internal and external landscapes. The creation of vendor risk profiles is much easier if your vendors have a shared profile published.

2. Establish an objective taxonomy

To streamline internal communications regarding cyber risks, every member of an organization must align with an objective list of cybersecurity definitions within the context of cyber risk quantification.

This will elevate any confusion caused by incorrectly interchanging the same cyber terms for different events, such as referring to both malware and a ransomware gang as a cyber threat (in the context of a cyber risk quantification, only malware is a cyber threat since its potential financial impact can be quantified).

3. Assign each asset a criticality rating

The preemptive assignment of criticality ratings for all internal and external assets will reduce the amount of data processing required in cyber risk quantification.

4. Document your efforts

Having readily accessible documents summarizing cyber risk calculations will support impromptu business decisions and the scalability of your cybersecurity programs.

5. Narrow your focus

Equally distributing remediation efforts across all cyber threats will only overwhelm the already exhausted bandwidth of security teams. Instead, narrow your focus on the cyber threats posing the highest damage potential.

The most effective risk prioritization strategy considers the broader context of each threat scenario. This is best achieved through a suite of risk analysis techniques used harmoniously such as cyber risk quantification, Vendor Tiering, and security ratings.

Source: upguard