Risk quantification has bridged the security world to the business world. By quantifying risk, security leaders have been able to frame cybersecurity in a business context and illustrate the impact cyber and business have on each other.
With the FAIR (Factor Analysis of Information Risk) model, cyber risk can be broken down into different factors and assigned a monetary value - giving business units greater insight into existing gaps and the impact of time and money on security investments. Using two main categories, loss event frequency and loss magnitude, cyber and IT teams can determine when a data breach may occur and the associated financial loss.
It’s nearly impossible to approach risk quantification with a one size fits all approach. As companies develop their own organizational structures, security programs, and information security management, CyberSaint has incorporated customizable features with the addition of the FAIR model and new updates to its security risk register.
A risk register for cyber security teams can act as a repository for tracking and identifying cybersecurity risks and is a centralized inventory for business units to refer to. Building from the baseline FAIR functionality, security teams can incorporate additional mitigation workflows to improve associated risk and monitor the risk over time in the risk register. To learn more about these new cyber and IT functionalities, watch our webinar Enabling Risk Register Benchmarking with CyberStrong.
CyberStrong’s FAIR Functionality
In addition to adversarial and non-adversarial risk based on the NIST model, the CyberStrong platform now offers FAIR risk functionalities. For effective risk management and risk identification, security teams can use quantitative methods for more accurate risk analysis and glean insights for greater compliance security and risk treatment.
“What we've done is we've taken the complexity out of what the FAIR model is asking people to do,” explained Bob Delfin, Senior Sales Engineer at CyberSaint. “What we've done is we've gone to a lot of different entities and gathered that information and made it really easy for the end-users to be able to see and visualize it in our risk register platform.”
At the top level, users will have access to loss magnitude and loss frequency data. As the FAIR functionality is used, additional drill downs will be available. By entering the minimum, maximum, and most likely values of loss magnitude and loss frequency users can create two charts - a risk distribution chart and a loss exceedance curve based on the FAIR approach and Monte Carlo simulations. These charts are updated in real-time as the entered values change according to risk assessments.
Users do not have to use separate spreadsheets for Monte Carlo simulations, ensuring greater consistency with calculations. Monte Carlo functionalities are built into the CyberStrong platform providing ease of use and ease of viewing for users.
Associating Controls Types
Users can begin to build upon this quantified information by associating controls. Similar to the NIST functionality, security teams can add control groups which are a set of controls that may help mitigate a particular risk, like ransomware. The first associated control group will act as a baseline for the quantified risk and as the enterprise incorporates more controls and control scores, security teams will gain insight into the progress made and how the estimated risk for ransomware changes.
“Everybody's used to seeing a heatmap red, yellow, green, but now what we're doing is actually letting you visualize it and being able to communicate up to the board and up to the C-levels,” explained Delfin. Moving on from spreadsheets and heatmaps, these new additions include easy-to-understand risk visualizations that help security teams can discern where money is being saved or lost and develop financially-informed security and risk strategies.
To create a baseline FAIR functionality, there are three control types that need to be associated with the control group - protect, detect, and respond. As each control type is added to a group, users can estimate the impact each control group will have on a particular risk as it relates to ransomware. The loss magnitude and loss frequency functions will continue to update as control groups are updated giving security teams greater insight into the financial impact of security.
A control type like respond will help security teams assess how prepared an organization is to respond to a ransomware event. This control type will assess the associated risks and likelihood of a breach based on how fast the malware can be removed and other response measures. Security teams should structure their protection strategies to protect the enterprise’s entire network, not just against ransomware. Protection controls should be used to defend an enterprise in order to lessen the loss frequency.
“A big thing to think about with protect, detect, and respond is, if protect was 100% effective, you wouldn't need any other controls, right,” said Scott Shidlovsky, Head of Engineering at CyberSaint.
“Like if nobody is ever going to be able to get through your protection controls and get ransomware on your system, then there's no reason for you to detect it or respond.”
The three main control types cannot function alone. Additional controls like incident response training or phishing security awareness training will have to be incorporated for a stronger mitigation workflow. These additional controls and Monte Carlo simulations will help security teams paint a picture of what the organization can do amidst a security event. With each action and control, users will see an updated loss exceedance curve and risk distribution chart and develop a baseline set of controls in regard to that particular risk.
Enhanced View of Risk
Associating controls to a particular risk is the first step to baselining the FAIR functionality. Utilizing the FAIR methodology in conjunction with a maintained risk register will create a transparent view of risk and cyber security. With quantified visualizations, CISOs and security leaders will have the confidence to report to the boardroom with accurate insights and informed methods of action in a crisis.