Cyber-risk quantification challenges and tools that can help
While cybersecurity risk should inform budget and strategy decisions, quantifying risk and the ROI of mitigation efforts isn't easy. Cyber-risk quantification tools can help.
CISOs have finite resources to solve near-infinite problems, requiring them to make tough choices that prioritize some security initiatives over others. The best way to make budgeting decisions and choose between competing priorities as a security leader is to focus on cyber-risk reduction.
Effective risk-based decision-making in cybersecurity often depends on the ability to quantify the risks in question. It requires some idea of the following:
- How much overall risk is reduced by spending on one project versus another.
- Which project or strategy reduces risk the furthest or fastest, if prioritized.
Quantifying cyber-risk, however, is not always easy or straightforward. The most rudimentary cyber-risk quantification approaches can result in shallow or misleading results, while more complex DIY methodologies may prove prohibitively cumbersome and time-consuming. Cyber-risk quantification tools can support security teams in making more sophisticated, informed and reliable decisions.
Cyber-risk quantification challenges
On the surface, quantifying risk looks easy: The following is the accepted formula:
Risk = Cost of event * Probability of event
But most organizations find it difficult to peg the cost of a hypothetical compromise, as well as the likelihood such an event will occur.
Some costs, however, are relatively simple to calculate. For example, if a ransomware attack bricked a hundred laptops, the cost would include replacing the laptops, as well as the labor associated with configuring and distributing them.
A little more murkily, the cost would also include lost productivity for staff, to whatever degree they depend solely on the laptops and to whatever degree any alternate method of working -- virtual desktop infrastructure via personal machines, for example -- is less productive.
And consider other categories of cost that are still more difficult to quantify: How much would the reputation of the company suffer if it were to fall victim to such an attack? What financial loss would that reputational damage cause? How would it affect new business or returning business, driving down revenues; stock prices, driving down valuation; or credit ratings, driving up interest rates?
Event probabilities can be even trickier to quantify. Again, consider ransomware: With no security controls in place, the likelihood of falling victim to such an attack is nearly 100%. But, with one defensive mechanism in place, what is the likelihood of an attack getting through despite it? It's even more challenging to justify the costs of adding supplementary risk mitigation tools or services.
A simple formula of uncertain terms
In practice, many organizations see all the uncertainties in the values inserted into the above calculations and conclude they are uncomfortable letting the results guide strategy and dictate purchases.
Often, security leaders are also leery of spending too much time and effort on any detailed cyber-risk quantification efforts. As a result, it's common to see rough-and-ready estimates of likelihoods and costs being high, medium or low, as well as the three-by-three grid used to guide efforts toward high-impact/low-cost projects or tools and away from high-cost/low-impact ones.
Some IT shops do go further, mainly on the costs side, using spreadsheets to conduct more detailed cost estimates. They typically use basic cost modeling methods -- e.g., remedial actions get priced out to include software, hardware or service costs required, plus however many hours of staff time times the salaries for the people involved, plus some generic productivity costs.
However detailed they get on the cost side, though, most teams' models still leave event probabilities vague and coarse-grained. "Low," for example, might mean 10% risk, "medium" might mean 30% and "high" might mean 60%.
How cyber-risk quantification tools can help
Enter cyber-risk quantification tools: They help cybersecurity programs get their arms around these challenges in multiple ways. Among other benefits, they provide the following:
- A consistent, structured framework for calculating costs, with more detail than most DIY spreadsheets, often based on the Factor Analysis of Information Risk (FAIR) taxonomy.
- Easy ways to reuse cost components across calculations.
- Ways to quantify productivity losses and other direct business impacts.
- Data on both costs and event probabilities based on other companies' experiences.
- Powerful simulation tools to help quantify risks, despite uncertainty regarding event probabilities.
5 cyber-risk quantification tools
Vendors offer a variety of cyber-risk quantification products and services to aid in cyber-risk management efforts. Among those suppliers are Axio360, Balbix, FortifyData, Safe Security and ThreatConnect.
The author chose to highlight these five tools based on independent research, prioritizing anecdotally prominent and well-established offerings with significant user bases. This list is organized alphabetically:
- Axio360. Axio360 is a cloud-based service that builds structured, customizable cyber event scenarios and cost calculations based on Monte Carlo simulations. It also supports what-if modeling, enabling users to compare the ROI of potential cybersecurity investments and how they affect risk metrics and the overall cybersecurity posture.
- Balbix. Balbix, another cloud platform, uses automation to ingest asset-level data from the IT environment -- e.g., items in a configuration management database, feeds from vulnerability assessment tools, etc. -- and analyzes their risk implications in near-real time. It also generates dashboards that communicate cyber-risk exposure in financial terms to help executive and operational stakeholders make informed business decisions.
- FortifyData. FortifyData measures internal risk by inventorying an organization's IT assets and processes and then applying that information to financial scenario calculations using the annualized loss expectancy cyber-risk quantification model.
- RiskLens. RiskLens -- now part of Safe Security -- offers a suite of cloud-based services based on the FAIR model. The RiskLens platform estimates how much a given cybersecurity initiative reduces risk in monetary terms and calculates relative scores, flagging projects with the best risk reduction ROI.
- Risk Quantifier. Threat Connect's cloud-based Risk Quantifier is an adjunct to its threat intelligence services. It offers automated risk modeling, integrating external data on probabilities, losses and costs. It can also frame recommendations in the context of multiple security frameworks, among them NIST Cybersecurity Framework and ISO 27001.
Finally, it is important to note that even the most sophisticated cyber-risk quantification efforts are not in and of themselves strategically conclusive. Rather, they should help inform the broader cyber-risk management program, with plenty of discussion and consideration still necessary.
John Burke is CTO and a research analyst at Nemertes Research. Burke joined Nemertes in 2005 with nearly two decades of technology experience. He has worked at all levels of IT, including as an end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect.