<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Risk quantification has bridged the security world to the business world. By quantifying risk, security leaders have been able to frame cybersecurity in a business context and illustrate the impact cyber and business have on each other.

With the FAIR (Factor Analysis of Information Risk) model, cyber risk can be broken down into different factors and assigned a monetary value - giving business units greater insight into existing gaps and the impact of time and money on security investments. Using two main categories, loss event frequency and magnitude, cyber and IT teams can determine the risk of cyber threats and potential financial loss. 

It’s nearly impossible to approach risk quantification with a one size fits all approach. As companies develop their own organizational structures, security programs, and information security management, CyberSaint has incorporated customizable features with the addition of the FAIR model and new updates to its cyber benchmarking functionalities. 

A risk register for cyber security teams can act as a repository for tracking and identifying cybersecurity risks and is a centralized inventory for business units to refer to. Building from the baseline FAIR functionality, security teams can incorporate additional mitigation workflows to improve security measures and monitor security posture. To learn more about these new cyber and IT functionalities, watch our webinar Enabling Risk Register Benchmarking with CyberStrong.

CyberStrong’s FAIR Functionality

In addition to adversarial and non-adversarial risk based on the NIST model, the CyberStrong platform now offers FAIR risk functionalities. For effective risk management and risk identification, security teams can use quantitative methods for more accurate risk analysis and glean insights for greater compliance security and risk treatment. 

“What we've done is we've taken the complexity out of what the FAIR model is asking people to do,” explained Bob Delfin, Senior Sales Engineer at CyberSaint. “What we've done is we've gone to a lot of different entities and gathered that information and made it really easy for the end-users to be able to see and visualize it in our risk register platform.”

At the top level, users can access loss magnitude and frequency data. As the FAIR functionality is used, additional drill-downs will be available. Users can create a risk distribution chart and a loss exceedance curve based on the FAIR approach and Monte Carlo simulations by entering the minimum, maximum, and most likely values of loss magnitude and frequency. These charts are updated in real time as the entered values change according to risk assessments.

Users do not have to use separate spreadsheets for Monte Carlo simulations, ensuring greater consistency with calculations. Monte Carlo functionalities are built into the CyberStrong platform, providing users with ease of use and viewing.

Associating Controls Types

Users can begin to build upon this quantified information by associating controls. Like the NIST functionality, security teams can add control groups, a set of controls that may help mitigate a particular risk, like ransomware. The first associated control group will act as a baseline for the quantified risk. As the enterprise incorporates more controls and control scores, security teams will gain insight into the progress made and how the estimated risk for ransomware changes. 

“Everybody's used to seeing a heatmap red, yellow, green, but now what we're doing is actually letting you visualize it and being able to communicate up to the board and up to the C-levels,” explained Delfin. Moving on from spreadsheets and heatmaps, these new additions include easy-to-understand risk visualizations that help security teams discern where money is being saved or lost and develop financially-informed security and risk strategies.

To create a baseline FAIR functionality, three control types must be associated with the control group - protect, detect, and respond. As each control type is added to a group, users can estimate the impact each control group will have on a particular risk related to ransomware. The loss magnitude and loss frequency functions will continue to update as control groups are updated, giving security teams greater insight into the financial impact of security.

A control type like respond will help security teams assess how prepared an organization is to respond to a malware incident. This control type will assess the associated risks and likelihood of a breach based on how fast the malware can be removed and other response measures. Cybersecurity management plans must protect the enterprise’s entire network, not just against ransomware.

Additional Controls 

“A big thing to think about with protect, detect, and respond is, if protect was 100% effective, you wouldn't need any other controls, right,” said Scott Shidlovsky, Head of Engineering at CyberSaint.

 “Like if nobody is ever going to be able to get through your protection controls and get ransomware on your system, then there's no reason for you to detect it or respond.” 

The three main control types cannot function alone. Additional controls like incident response training or phishing security awareness training will have to be incorporated for a stronger mitigation workflow. These additional controls and Monte Carlo simulations will help security teams paint a picture of what the organization can do amidst a security event. Users will see an updated loss exceedance curve and risk distribution chart with each action and control and develop a baseline set of controls regarding that particular risk.  

Enhanced View of Risk 

Associating controls to a particular risk is the first step to baselining the FAIR functionality. Utilizing the FAIR methodology and a maintained risk register will create a transparent view of risk and cyber security. With quantified visualizations, CISOs and security leaders will be confident to report to the boardroom with accurate insights and informed methods of action in a crisis

To learn more about CyberStrong’s FAIR functionality, please watch our webinar. Contact us to see how CyberStrong can be a risk-registering tool for you. 

You may also like

Conducting Your First Risk ...
on January 30, 2023

As digital adoption across industries increases, companies are facing increasing cybersecurity risks. Regardless of their size, cyber-attacks are a persistent threat that must be ...

Your Guide to Cloud Security ...
on January 26, 2023

Cloud computing refers to the delivery of multiple services via the internet (also known as the “cloud”), including software, databases, servers, storage, intelligence, and ...

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on January 27, 2023

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...