Home » Security Bloggers Network » How to Use Cyber Risk Quantification for Business Decision Support

How to Use Cyber Risk Quantification for Business Decision Support

by Jeff B. Copeland on May 11, 2023

Meeting - Business Decision Support with Cyber Risk Quantification Gartner, the leading technology research firm, recently published this finding on organizations that have adopted cyber risk quantification (CRQ): “Only 36% have achieved action-based results, including reducing risk, saving money or actual decision influence.”

As the leader in implementing Factor Analysis of Information Risk (FAIR™), the recognized standard for cyber risk quantification, our reaction at RiskLens was, “Wait, what? We’ve been helping clients achieve action-based results with CRQ for 10-plus years.”

Our second reaction was, “How do you define cyber risk quantification?”

As FAIR creator Jack Jones writes in his Buyer’s Guide to Cyber Risk Quantification (FAIR Institute membership required to view – sign up here), the marketplace is crowded with vendors claiming to quantify cyber risk by scoring organizations for presence/absence of controls, “maturity” compared to security frameworks, vulnerability scans or other technical ratings that generate numbers but don’t quantify risk in terms of money. In other words, they don’t directly support business decision-making.

FAIR gives organizations a methodology to quantify the probable likelihood and probable costs of cyber attacks or other loss events, so risk can be expressed in a range of annualized results (such as “a most likely value of $1 million”) easily communicated to business leaders.

Sponsorships Available

3 ways that FAIR analysis, implemented through the RiskLens platform, helps CISOs or cyber risk managers achieve actual decision influence.

1. Identify and Prioritize Top Risks

RiskLens Platform - Top Risks The starting point for many RiskLens clients is a fast look at an organization’s top risks based on probable loss exposure in monetary terms. To speed the process, the RiskLens enterprise analysis platform shortcuts data gathering with extensive libraries of industry-specific data built-in. Many business decisions flow just from prioritizing risks.

Learn more:

5 Uses for a Top Cyber Risks Analysis

Tech Company Quickly Identifies Top Cyber Risks with Quantitative Analysis

2. Aggregate Risks by Loss Exposure

Unique in the marketplace, the RiskLens platform can aggregate multiple risk scenarios into overall assessments of risk by business unit, revenue stream, attack vectors or any other useful viewpoints (we call them “portfolios”) for decision-makers, including the enterprise level.

Learn more:

Webinar: Fast, Flexible Risk Reporting with RiskLens Portfolio Management.

One tangible benefit of these assessments for decision-making is gaining clarity on How to Set a Risk Appetite with RiskLens

Another key benefit: FAIR quantification puts cybersecurity on an equal footing dollar-wise with other aspects of enterprise risk management that leadership faces. Check out this example: Case Study: Quantitative Risk Assessment for Earthquakes, Strikes and More Operational Risk

RiskLens Platform - Cost Benefit Analysis-1

3. Run Cost/Benefit Analysis

There’s no more direct decision support tool than the RiskLens platform’s capability to run cost/benefit or ROI analysis. With a quantified understanding of the baseline risk for a scenario in hand, you can re-set the scenario for alternate outcomes – say, purging data from a database or retaining data and adding data loss prevention controls – see the changes in loss exposure, then compare to the cost of the controls or other action steps.

Learn more:

CISO Makes a Quick Pitch to Restore Security Project Budget Based on Cost Benefit Analysis

Finance Company Assesses Risk of Data Breach from Shared Storage