For security teams, the idea of risk is nothing new - in fact, most information security teams work with cyber risk daily. However, the concept of distilling that cyber risk down into numbers, cyber risk quantification, is a hotly debated issue among information and security professionals. In 2018, in their inaugural Integrated Risk Management Magic Quadrant, Gartner listed risk quantification as a critical capability for integrated risk management solutions. Yet, the way security teams approach quantitative risk analysis widely varies from organization to organization. Here we’ll explore how to quantify risk in risk assessments and why cyber risk quantification is still so ambiguous for many information security teams and why it is critical that the industry embrace this as the next step for future success.
A Brief History Of Risk And Risk Quantification
The modern concept of risk is directly correlated with uncertainty, and uncertainty is correlated with the availability of information. If an individual makes a decision with 100% certainty (or all possible information), there is no risk. Notice there is a difference between possible and available information. While individuals work to assemble all available information, it is almost impossible to assemble all possible information before a decision deadline. If we had to know all the possible information to make a decision, we would not be able to get our morning coffee let alone lead a team.
Risk has been an integral part of the business since the modern concept evolved. From contracts in the 16th century to the emergence of lending, business leaders have been taking risks seemingly forever. Until the 17th and 18th centuries, though, the decision to accept or reject that risk was predicated on subjective measures such as personal relationships and word of mouth.
The industry that catalyzed the development of objective risk quantification was, to no surprise, insurance. Critical to their business model, insurance companies innovated new ways to calculate the potential risks associated with individuals and material objects. In the 20th century, we saw governments begin to call for increased use of quantitative risk assessments - driven by increasing tensions following nuclearization and the Cold War; the US government needed the means to make calculated decisions moving forward.
Business Risk In The Modern Age
Business is inherently risky as it is predicated on the fact that businesses that survive are doing something different from their competitors. If someone does something never done before, they accept a certain degree of risk to the business. Looking at the Ansoff Matrix for new product development, we see that teams of any function must embrace some form of project risk.
Information Risk Management
We’ve seen before that risk reduction, the primary objective of security teams, is often at odds with business growth. In fact, Bromium reports that 74% of CISOs see security as the primary hindrance to business growth and innovation. Both of these concepts come with potential loss events and risks.
It is not the security team's job to stand in the way of the rest of the organization and be at odds with the CEO. In fact, these businesses are the ones that stagnate. It is also not the CEO's job to turn a blind eye to the security risks of business growth.
Both the CEO and security leaders need to be effective at relaying the necessary information to each other: the CEO must effectively convey their ideas and strategy, and the security leader must be able to effectively convey the risks associated with that strategy for the CEO to make a well-informed decision in a projected duration about whether to move forward.
The issue is, that without an objective means to convey the risks associated with the CEO’s strategy, the CISO cannot hold up their end of the relationship.
Barriers To Adoption Of Risk Quantification
If quantifying cyber security risk is so critical to a CISO, why is it so widely debated? The fact is, information security has not been so critical to a company’s bottom line before. From the DIB to financial services, information is the new currency and customers’ trust in an organization's security of their customers’ information has a direct impact on the bottom line.
We are in uncharted waters regarding how to quantify risk in a project that was previously focused on ensuring that the rest of the organization continued to function; using a risk matrix is not enough.
The MIT CISR breaks the risks managed by information professionals into four categories: agility, accuracy, access, and availability.
Up until the digital revolution, the primary focus of security teams was mostly cost estimates and schedules, some access, and pieces of accuracy and agility.
With digitization, that has completely shifted. In fact, the role of the CISO now is more focused on agility - securing the organization as it rapidly adopts new technologies that are not necessarily secure. This change has caused a shift in the dynamic and the need for cyber risk quantification models. Unfortunately for those working to define it, the easiest function to define is availability - in the case of business continuity, we can look at what happens in the event of a disaster, for how long do processes stop for, and what project costs are lost as a result of that breakdown in the total project.
However, what happens in the event of a data breach? No servers go down, business operations are not interrupted, yet stocks tank and bottom lines are slashed. This is the power of reputational risk and financial risk, the business impact of a cyber attack, and why risk quantification and risk project management in the digital age is so difficult. It has fallen on the information security organization to define the risk scenarios associated with a company when customers lose faith in a company’s ability to protect its information.
Cyber Risk Models For Information Security
While the need for concrete risk quantification has emerged, the landscape of risk assessment frameworks to quantify enterprise risk is still fragmented. It should be noted here that, especially today, CISOs and information security teams need to prioritize meaningful measurements over complexity or perceived value when it comes to a cyber risk management program. We’ll take a look at the most popular frameworks to date for quantifying cyber risks:
NIST SP 800-30: Originally published in 2002 and updated in 2012, NIST Special Publication 800-30 or NIST Risk Management Framework is built alongside the gold-standard NIST Cybersecurity Framework to view an organization's cyber threats through a risk-based lens. The limitation of the NIST RMF is the revision process - the revised version published in 2012 is designed for a risk assessment process. While that lends itself to risk quantification, it does not directly determine the probability of risk exposure in a fully objective manner.
FAIR Model: Factor Analysis of Information Risk (FAIR) Model is touted as “the only international standard quantitative model for cybersecurity and operational risk”. To date, the FAIR Model has been widely debated in the security community for its approach and ability to translate risk calculated into financial terms. With NIST adding FAIR as an informative reference to the wildly popular Cybersecurity Framework, the FAIR model has moved from obscurity to main business practice.
World Economic Forum Cyber Risk Framework and Maturity Model: Originally published in 2015, the WEF framework is similar to the NIST RMF's subjectivity. Where the FAIR model is more data-driven, the WEF framework relies on human decisions to determine risk probability.
Digitization and concern around consumer information and the rise of data breaches and ransomware attacks have shifted information security leaders from the periphery to an integral business function. Information is the new currency, and security leaders need to effectively partner with business executives to mitigate an organization’s cyber risk while empowering, not hindering, business decision-making, growth, and innovation. Cyber risk quantification gives security leaders the means to map risks associated with a strategy to business outcomes and financial impact. We are in a pivotal moment for cybersecurity risk quantification.
As more CEOs become proactive in overseeing their security program, security leaders will need tools to convey that information effectively and integrate all risk data. These tools are already starting to take shape in the form of cyber risk quantification software and tools - the most powerful of which, we would argue, empower teams to apply the cyber risk management framework that delivers the most value to the organization. With a standard set of tools to communicate risk, security and business leaders can adopt a common language to secure their organizations.