What is cyber risk quantification (CRQ)? How to get it right

The importance of cyber risk quantification

Simply put, CRQ better informs business decisions. Traditional risk assessments, often made by business leaders with little direct knowledge of security technologies and practices, led to incomplete risk management strategies, organizational vulnerabilities and, at times, costly incidents.

But business and technology leaders who adopt CRQ express their subjective considerations in quantifiable metrics for everyone's review: Here is something that may happen. Here is the likelihood that it will happen. Here is the severity of this instance of it happening. And here is the financial impact if it does happen. The resulting list of analyzed considerations is further discussed and prioritized, and strategies are built to mitigate the worst impacts while meeting business objectives.

CRQ boosts organizations in several areas, including:

• Resource allocation. CRQ helps a business direct finite resources to its most dangerous and prevailing risks: Spend more on the most serious risks and less on milder threats. A CRQ analysis pinpoints risks and clearly expresses their financial impact, aligning security investments more closely with existing budgetary constraints.
• Risk management. CRQ and other quantification techniques underpin objective risk analysis and more effective risk management outcomes. For example, CRQ identifies a likely and costly risk, then determines an appropriate and financially justifiable investment to mitigate that risk, improving the organization's risk management posture.
• Investment justification. Senior business executives, many with limited IT and cybersecurity knowledge, often question the need and value of risk mitigation. CRQ results clearly express the value of security investments to management.
• Compliance and incident response. Security incidents sometimes result in compliance violations, disrupt business continuity or precede litigation. A comprehensive CRQ effort and risk management strategy maintains compliance and continued business operations, protects an organization's reputation and brand and avoids costly litigation.

Benefits of cyber risk quantification

The CRQ process, beyond its overall effect on business strategy, yields granular benefits that further help a company navigate an increasingly complex threat landscape. These benefits include:

• Vulnerability recognition. CRQ assessments yield discussions about the nature and source of risks and vulnerabilities, enabling a business to make more informed decisions about its risk appetite and risk tolerance. For example, by understanding threats such as data breaches, a business chooses risk avoidance, prohibiting the collection of all but the most essential customer information or anonymizing customer information from the initial point of collection.
• Organizational buy-in. Open and honest discussions about operational workflows, processes and business resilience – the result of CRQ analysis – often produce fundamental changes to business operations. For example, understanding the impact of a serious data breach and its legal implications, business leaders justify security training for all employees.
• Documented assessments. A CRQ assessment provides sobering statistical realizations. Often unpleasant to read, a well-supported review of incident probabilities is foundational to well-targeted security investments. For example, a high likelihood of a data breach leads a business to develop a strong incident response team and a clear public relations playbook.
• Prioritization of mitigation. Most businesses cannot afford to mitigate every possible risk. Leaders must choose where to invest limited financial, technical and intellectual resources, and CRQ assessments furnish objective information. For example, a strong probability of storage system failure justifies both a resilient storage architecture and a comprehensive backup and recovery process.
• Stakeholder confidence. Reputation resonates with employees, partners, customers and regulators alike. Regular CRQ assessments provide direction that strengthens the business against risks, resulting in greater confidence among stakeholders. This business understands its vulnerabilities and is taking appropriate measures to mitigate those risks, meet compliance obligations and ensure continued operations.

Cyber risk quantification models and frameworks

 There is no single methodology to quantify cyber risks. Numerous practical models are readily available, including:

• Bayesian networks. Using graphs to model probabilistic relationships between risk variables, Bayesian networks make predictions or draw conclusions based on available data.
• COBIT. The Control Objectives for Information and Related Technologies (COBIT) framework is a widely used IT governance methodology that offers guidance on aligning IT processes with business risks and objectives while maintaining regulatory compliance. COBIT specializes in risk management and risk quantification.
• FAIR. The FAIR framework breaks down risk into its fundamental elements by considering assets, threats, vulnerabilities and their impact, then translates that risk into financial terms.
• ISO 27005. This international standard offers guidance on information security risk management, including risk identification, risk assessment and risk mitigation. ISO 27005 is often employed in conjunction with ISO 27001, which sets requirements for establishing an information security management system.
• Monte Carlo simulation. Monte Carlo techniques employ probabilistic modeling to simulate several risk scenarios and predict the likelihood of various outcomes, such as financial losses, using randomness to solve problems that also include outside, or deterministic, factors.
• National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). The NIST RMF offers a flexible seven-step process to help organizations manage information security and privacy risks. RMF's risk-based approach lets businesses identify and address the most critical risks early in the system development lifecycle and apply the best available solutions.
• NIST SP 800-30. Special publication 800-30 provides step-by-step guidance for the entire risk assessment process, including initial preparations, maintenance, communicating results and ongoing risk monitoring. NIST 800-30 is closely related to other NIST publications, including SP 800-39 on risk management framework and SP 800-53 on security and privacy controls.

 CRQ methodologies routinely align with current business needs and practices, along with the training levels of skilled staff members. Many organizations employ more than one CRQ methodology to obtain multiple perspectives, then check each methodology against others.

Best practices for cyber risk quantification in the enterprise

Companies routinely apply different methodologies and nuances to meet specific business needs. However, there are common organizational best practices to ensure a more effective CRQ adoption, specifically:

• Asset knowledge. Effective risk quantification begins with a careful assessment of available business assets. What is assessed for risks, where are those assets located and how are those assets used? Common asset portfolios include infrastructure elements such as systems and networks, data such as intellectual property and confidential business records and even third-party relationships such as cloud and software as a service providers.
• Threat awareness. Given the asset portfolio, what are the threats to and vulnerabilities of each asset? Understanding risk requires deep knowledge of potential threat types, how each manifests as an attack or disruption and the likelihood of any specific threat's occurrence or success.
• Financial acumen. Some CRQ assessments yield a numerical risk score, but financial CRQ initiatives must translate potential events or incidents into an objective financial perspective: What is the cost of each disruption? Costs include replacement gear, operational downtime, lost sales, regulatory penalties, reputational damage and legal liabilities.
• Risk ranking. Once risks are identified, their likelihoods determined and associated costs predicted, competent business and tech leaders prioritize risks based on their probability and financial impact.
• Resource allocation. After risks are prioritized, management uses available resources to develop efficient, cost-effective mitigation strategies to blunt the most likely and costly threats.
• Complete documentation. CRQ initiatives require data. How are risks, their likelihoods and possible impacts determined? While some data sources are clearly objective, others use subjective, sometimes experiential, determinations. Document all data sources and reasoning to ensure transparent periodic reviews and corrections as required.
• Clear communication. Frame the results of a CRQ analysis in terms meaningful to both technical and non-technical leaders. That way, everyone in the project's decision-making process is clear on its risks and strategic goals.
• Optimization. Risk assessment is not a one-time effort, but rather a recurring process featuring constant monitoring, regular discussions, updates and optimizations. Mitigations are altered if needed, new risks are identified, and risk probabilities change as the threat landscape evolves. Regular CRQ updates support revisions to the organization's overall risk management strategies.

Stephen J. Bigelow, senior technology editor at TechTarget, has more than 30 years of technical writing experience in the PC and technology industry.