Putting a Price on Cyber Risk
Today, industry experts widely recognize the need to quantify cyber risk. Intuition alone cannot guide assessments of challenges in the cyber information domain.
Qualitative determinations can lead to a misdiagnosis of risk, which can lead to less-effective policy, process, and technology implementation. This ultimately does not have real risk reduction value and can result in a lower ROI. Quantitative measurements can more effectively serve to demonstrate an organization’s specific risk associated with threats, assets, and impacts (i.e. loss). However, not everyone understands how exactly to assign value to cyber risk in ways that are neither exceedingly complex nor analytically dubious.
CyberVista recently sat down with Jack Jones, Chairman of the FAIR Institute and co-founder of cyber security risk management firm RiskLens, to discuss the Factor Analysis of Information Risk (FAIR) methodology and how it allows us to quantify cyber risk simply and effectively.
From our conversation with Jones, we derived three major insights into the FAIR method:
The Seemingly Complex Can Be Simplified
Cyber risk is often perceived as exceedingly complicated. The first reaction when facing the problem of quantifying cyber risk is to default to what Jones refers to as a simple and nonscientific “wet finger in the air” test, relying heavily on assumptions and gut feelings, measuring only a vague sense that “the wind seems to be blowing this way by about this much.”
The FAIR method, by contrast, takes the seemingly impossible Gordian knot of that risk and breaks it down, simplifying cyber risk into two well-defined subcomponents: 1) the frequency of potential threat events and 2) the magnitude of expected losses to any affected assets. FAIR turns obtaining a numerical measurement from a seemingly Sisyphean task to a more manageable one.
The simplification of cyber risk using FAIR enables risk to be quantified more easily, Jones said, but also can make a cyber risk scenario “easier to wrap [one’s] head around.” This makes the process more transparent and relatable to decision makers and senior executives. FAIR provides a logical construct that can clarify (using easily understandable metrics and a common lexicon) what an organization’s cyber risk is, and more importantly the “why” and exactly “how much” in that assessment.
We Can Assign Real Values to Cyber Risk
Assigning numbers to cyber risk does not necessarily constitute actual measurements. If those numbers could just as easily be colors (such as red, yellow, and green) or even happy, neutral, or sad face emojis depicting the severity of risk, then they represent only “vague assumptions” rather than “real values,” Jones said. The FAIR method does not assign arbitrary numbers, but rather enables a real quantification of risk in terms of material and economic cost.
Through assigning real values to risk, FAIR enables coherent and mutually comprehensive discussion and debate about a particular cyber risk scenario and analyses with executives and decision makers. The numbers can then be clearly laid out in a table. It not only provides the measurements of exactly how much risk there is (in financial loss value ranges) but also allows for a detailed explanation of the risk factors, the data used, confidence levels, and the assumptions used by the analyst to determine those numbers.
Lastly, FAIR can be used in conjunction with, rather than in place of, existing cybersecurity frameworks (NIST CSF, ISO 27001, COBIT, etc.) to quantify any control gaps identified through those frameworks. It can tell an organization how much (in real value terms) to care about potential security deficiencies identified by any applied cybersecurity framework.
Words Do Matter: Use Clear and Precise Terminology
The very term “risk” is often used to convey different ideas and meanings. As Jones notes, “risk” can be used to mean multiple, different things, even within a single paragraph. The confusion of fundamental terms of what represents a “threat, vulnerability, or risk” stands in the way of effectively measuring and communicating what the cybersecurity problem is.
This is not new to an emerging field, as it took decades if not centuries for medicine, science, and other fields to reach consensus on definitions as those professions matured. However, Jones says that the rapid pace at which cyberspace is evolving and industries are changing precludes a gradual adoption of clear definitions. They are needed now.
This is another reason why FAIR is so useful. It provides “very clear and precise definitions” for different terminologies, including the definition of “risk” itself, Jones said. FAIR removes the ambiguity around terms and allows more consistent and precise communication, whether within the information security field or with senior executives.
Like simplification and quantification, precise terminology improves efficiency in understanding and addressing cyber risk issues. By using FAIR, organizations can break down complex risk, quantify and measure that risk, and streamline the meanings of nomenclature and key terms to enable prioritization of risk management. As Jones tells us, regulators and boards are now asking harder questions regarding cyber risk analysis and have shown greater desire for quantitative, methodologically-based analyses.
The information security field is behind the curve, but Jones is confident that the future for cyber risk management is “bright and positive.” Change is coming, and FAIR provides a methodology all organizations — from mom-and-pop companies to multinational corporations — can use to more effectively deal with current and future risk challenges.
CyberVista is Here To Help
If you want more information on measuring and managing cyber risk, be sure to check out our Resolve board and executive training programs. CyberVista’s Resolve program is aligned with the FAIR model and is the only executive cyber risk training program endorsed by the FAIR Institute. CyberVista’s Digital Cyber Risk Training covers 25+ cyber risk topics, includes case studies, monthly newsletters and executive briefings, and subject matter expert interviews — including the full interview with Jack Jones and many other experts.
CyberVista also offers Deep-Dive Executive Cybersecurity Sessions, Executive-level Cybersecurity Awareness training, and Cyber Breach Tabletop Exercises. Our training programs are designed to instill the knowledge necessary to confidently oversee cyber risk and ultimately help you protect your bottom line.