Request Demo

NIST Risk Management Framework

Risk Quantification: It's Not "What", It's "How"


Many vendors and organizations alike see opportunity in the nebulous realm of risk quantification. As we’ve seen before, risk quantification is nothing new to the world - dating back to sailing ship voyagers, as CyberSaint Chief Product Officer Padraic O’Reilly pointed out, and catalyzed by insurance organizations. Yet quantifying risk in the digital world has proven a unique challenge, for many reasons. As Padraic points out “there simply isn’t enough data.”

While we live in a world more driven by and saturated with data than ever, Padraic and CyberSaint advisor, Raphael Yahalom, note that the type of data is key. For risk quantification, it is a matter of the threats and eventual breaches and what constitutes an event - is a data breach an event? To what extent versus a phishing attack? Determining where each form of cyber attack or event fits on the nefarious spectrum of actions against an organization, as well as mapping these events and controls to business objectives are the questions that actuaries and CISO’s alike are challenged with when distilling cyber operations into risk models.

The highest level function for risk quantification is further bridging the gap between business and technical leaders. Boards of directors and executives are programmed to quantify risk in their sleep, and yet these new digital risks facing them are a completely different embodiment.

A finger in the air is better than a shrug

As O’Reilly points out when it comes to risk - “a finger in the air is better than a shrug.” While we may still be in the infancy of cyber risk quantification, taking proactive steps to attempt to quantify that risk, even if it’s more subjective than not, is better than nothing. Organizations focused on compliance over risk will end up molding their cyber program based on suggestions that don’t align with their business organization and this is where these teams end up causing friction.

Risk-focused thinking inherently reduces friction in that it builds an information security program around the business objectives rather than a set of controls mandated by a governing body unfamiliar with your specific organization. Taking those first steps to quantify the risk associated with your control set is a great place to start. This process doesn’t happen overnight and a more seamless solution starts where your organization is in terms of controls and frameworks and integrating a risk quantification method (be it NIST 800-30 or something like the FAIR model) into that process.

Cyber becomes ubiquitous

One of the great driving forces for both vendors and CISO’s alike to establish best practices for cyber risk quantification is the fact that the lines between digital and physical risk are becoming blurred. As Yahalom stated - “it’s not just that the lines are becoming blurred, cyber is integrating with existing risk models.” In this case, cyber risk is not just a matter for CISO’s, it is paramount for business leaders to have the means to quantify these new forms of risk as moving forward they will have a massive impact on all other risks.

There is no one answer (for now)

Both O’Reilly and Yahalom agreed that where risk quantification stands today, CISO’s need to prioritize seeking out frameworks that are best understood by their organizations - “maybe it’s a three-by-three matrix, or I’ve seen folks come to us wanting to explore FAIR. It’s all about finding the lingua franca that will be best understood by those in your organization.” said O’Reilly.

Given that cyber risk quantification is still in its infancy, CISO’s need to focus on firstly starting to quantify risk with the tools available today. Whether NIST 800-30, FAIR, or a simply three-by-three matrix, starting is the most important step. When selecting a framework to start with, though, it is most important to be able to justify and explain the process behind the framework. The best answer, for now, is one that allows your organization to begin documenting risk in the most transparent way possible and continue delivering value to senior level stakeholders.

You may also like

CyberSaint at RSAC 2019
on March 7, 2019

Day two of RSA and booth number 1641 is bustling. In fact, the entire Expo Hall is awash with new product announcements, compelling demos, and striking amounts of swag. The ...

Becoming Better At RSA
on February 28, 2019

Next Monday marks the start of RSA Conference 2019, where a projected 50,000 vendors and practitioners will descend on the Moscone Center in San Francisco. The theme for the ...

Digital Risk Redefines Enterprise ...
on February 26, 2019

For information leaders today, there is increasing interest from non-technical parties - from the legal team to the Board - in the ongoing question “are we secure”. The challenge ...

DFARS Cybersecurity Audits: What ...
on February 21, 2019

It’s getting real – the government is moving from self-reported compliance to external audits of a company’s cybersecurity posture: drilling deep to evaluate that company ...

Risk Quantification: It's Not ...
on February 19, 2019

Many vendors and organizations alike see opportunity in the nebulous realm of risk quantification. As we’ve seen before, risk quantification is nothing new to the world - dating ...

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux