For security teams, the idea of risk is nothing new - in fact, most security teams work with risk every day. However, the concept of distilling that risk down into numbers, risk quantification, is a hotly debated issue among information and security professionals. In 2018, in their inaugural Integrated Risk Management Magic Quadrant, Gartner listed risk quantification as a critical capability for integrated risk management solutions. Yet, the way security teams approach risk quantification widely varies from organization to organization. Here we’ll explore why risk quantification is still so ambiguous for many security teams and why it is critical that the industry embrace this as the next step for future success.
A brief history of risk and risk quantification
The modern concept of risk is directly correlated with uncertainty, and uncertainty is correlated with the availability of information. If an individual makes a decision with 100% certainty (or all possible information), there is no risk. Notice there is a difference between possible and available information. While individuals work to assemble all available information, it is almost impossible to assemble all possible information prior to a decision deadline. If we had to know all the possible information to make a decision, we would not be able to get our morning coffee let alone lead a team.
Risk has been an integral part of the business since the modern concept evolved. From contracts in the 16th century to the emergence of lending, business leaders have been taking risks seemingly forever. Until the 17th and 18th centuries, though, the decision to accept or reject that risk was predicated on subjective measures such as personal relationships and word of mouth.
The industry that catalyzed the development of objective risk quantification was, to no surprise, insurance. Critical to their business model, insurance companies innovated new ways to calculate the risks associated with individuals and material objects. In the 20th century, we saw governments begin to call for increased use of risk quantification - driven by increasing tensions following nuclearization and the Cold War, the US government needed the means to make calculated decisions moving forward.
Business risk in the modern age
Business is inherently risky as it is predicated on the fact that businesses that survive are doing something different from their competitors. If someone is doing something never done before, they are taking a risk. Looking at the Ansoff Matrix for new product development, we see that teams of any function must embrace some form of risk.
Risk for information and security professionals
We’ve seen before that risk reduction, the primary objective or security teams, is often at odds with business growth. In fact, Bromium reports that 74% of CISO’s see security as the primary hindrance to business growth and innovation. Both of these concepts take risk.
It is not the job of the security team to stand in the way of the rest of the organization and be at odds with the CEO. In fact, these businesses are the ones that stagnate. It is also not the job of the CEO to turn a blind eye to the security risks inherent to business growth.
Both the CEO and security leaders need to be effective at relaying the necessary information to each other: the CEO must effectively convey their ideas and strategy, and the security leader must be able to effectively convey the risks associated with that strategy for the CEO to make a well-informed decision about whether to move forward.
The issue is, that without an objective means to convey the risks associated with the CEO’s strategy, the CISO cannot hold up their end of the relationship.
Barriers to adoption of risk quantification
If risk quantification is so critical to a CISO, why is it so widely debated? The fact is, information security has not been so critical to a company’s bottom line before. Information is the new currency and customers’ trust in an organization's security of their customers’ information has a direct impact on the bottom line.
We are in uncharted waters in terms of how to but objective numbers around the activities that were previously focused on ensuring that the rest of the organization continued to function.
The MIT CISR breaks the risks managed by information professionals into four categories: agility, accuracy, access, and availability.
Up until the digital revolution, the primary focus of security teams was mostly availability, some access, and pieces of accuracy and agility.
With digitization that has completely shifted. In fact, the role of the CISO now is more focused on agility - securing the organization as it rapidly adopts new technologies that are not necessarily secure. This shift has caused the shift in dynamic and the need for risk quantification. Unfortunately for those working to define it, the easiest function to define is availability - in the case of business continuity, we can look at what happens in the event of a disaster, how long do processes stop, and what revenue is lost as a result of that breakdown.
However, what happens in the event of a data breach? No servers go down, business is not interrupted, yet stocks tank and bottom lines are slashed. This is the power of reputational risk and why risk quantification in the digital age is so difficult. It has fallen on the information security company to define the risks associated with a company when customers lose faith in a company’s ability to protect their information.
Risk quantification for information security
While the need for concrete risk quantification has emerged, the landscape of frameworks to quantify risk is still fragmented. We’ll take a look at the most popular frameworks to date for risk quantification:
NIST SP 800-30: Originally published in 2002 and updated in 2012, NIST Special Publication 800-30 or NIST Risk Management Framework is built alongside the gold-standard NIST Cybersecurity Framework as a means to view an organization's security threats through a risk-based lens. The limitations of the NIST RMF is the revision process - the revised version published in 2012 is designed for a risk assessment. While that lends itself to risk quantification, it does not directly determine the probability of risks in a fully objective manner.
FAIR Model: Factor Analysis of Information Risk (FAIR) Model is touted as “the only international standard quantitative model for cybersecurity and operational risk”. To date, the FAIR Model has been widely debated in the security community for its approach and ability to quantify risk. Recently, the FAIR Model has moved from obscurity to prominence for those reasons.
World Economic Forum Cyber Risk Framework and Maturity Model: Originally published in 2015, the WEF framework bears similarities to the NIST RMF in its subjectivity. Where the FAIR model is more data drive, the WEF framework relies on human decisions to determine the probability of risk.
Digitization and concern around consumer information have shifted information security leaders from the periphery to an integral business function. Information is the new currency, and security leaders need to effectively partner with the CEO in order to mitigate an organization’s risk while empowering, not hindering, business growth and innovation. Risk quantification gives security leaders the means to map risks associated with a strategy to business outcomes as well as dollars and cents. While we are still in the early days of this emerging field, 2019 will be a pivotal year for the field. As more CEOs become proactive in overseeing their security program, security leaders will need a tool to convey that information effectively and integrate all risk data. With a standard set of tools to communicate risk, security and business leaders can adopt a common language to secure their organizations.