Cyber risk is a business risk estimated to cost between $600B and $1000 Billion per year - Source Lloyds of London -. Companies are spending increasing amounts on cyber security solutions: between 5% and 15% of their IT budget or between $1,900 and $4,300 per employee. The global spend on Cyber Security is estimated to be $125 billion in 2021.
Decision making in business
All enterprise functions make decisions based on financial forecasts and measure their past performance with financial metrics. Paradoxically cyber security is not typically viewed from a finance perspective. Cyber risk is either not measured at all, or typically measured with subjective qualitative methods which are not effective in prioritizing risk reduction initiatives.
Organisations do not know how much cyber risk they face and have difficulty communicating about risk across business and IT stakeholders
Investment decisions in IT security solutions are made without understanding how much a proposed solution will reduce risk in monetary terms.
Organisations struggle to demonstrate a consistent, repeatable, metrics-driven decision-making process when regulators are increasingly requiring this level of rigor.
Quantifying Cyber Risk with the FAIR standard
Our Cyber Risk Quantification solutions are built using the Open FAIR Standard. FAIR (Factor Analysis of Information Risk) is the industry standard quantitative model for information security and operational risk. FAIR is an Open Group Standard and is promoted by the FAIR Institute which was more than 10,000 members globally representing 40% of fortune 1000 organizations. The adoption of FAIR for cyber risk quantification has been recommended as best practice by NIST, ISACA, COSO, CIS20, Gartner, and other standards bodies, professional organisations and recognised industry research analysts.
Using the FAIR framework we can calculate your cyber risk exposure in monetary values - Euros, Dollars or Pounds.
The output of a FAIR analysis measures an organisation's risk exposure expressed in financial terms (€, $ etc..) for a clearly defined scenario or aggregation of scenarios. Our solutions will provide you the range of probable losses for a given cyber risk scenario.
Our model is flexible and can illustrate your average risk exposure in a 12
month period or the probability of different financial losses. This level of accuracy is far more useful than traditional heat maps (red, amber, green) or ordinal scales.
The FAIR Standard enables the utilisation of uncertain information via estimated data ranges and corresponding levels of confidence. Loss event frequency, control capability and loss magnitude (impact in financial terms) are modelled and decomposed into variables which can be estimated as ranges (not discrete values) with a minimum, a maximum and a most likely value.
FAIR then makes use of Monte-Carlo statistical models to simulate thousands of scenarios with values from the estimated ranges and produce a probability distribution of potential losses.
The use of Monte-Carlo simulation and quantification of risk using a VaR model is standard practise in the world of finance and banking. Our solutions apply this approach to Cyber risk.
Our solutions are built on the C-Risk knowledge library of quantifiable risk scenarios and corresponding data sets. This allows us to quickly perform a risk assessment without taking up too much of your organizations valuable time.
Our typical analysis starts with interviews to understand your business value chain and supporting IT assets (the crown jewels). We gather business metrics (revenue, number of employees, of clients, etc..) as well your security controls maturity. We then define the risk scenarios to be quantified.
We estimate the frequency and magnitude of the identified scenarios using the information collected combined with our own data sets. The entire process can be completed within a few days thanks to our streamlined methodology.
We can quantify your total cyber risk exposure by aggregating scenarios. Scenarios are typically defined by IT asset, per BU, per type of threat, and impact (C-I-A).
Analysis deliverables include :
Our Quantified risk assessments are fixed cost and priced per risk scenario, starting at €5,000 euros.
The risk assessment report informs strategic and tactical decisions in a metric-driven, defendable, and repeatable manner. All stakeholders understand the financial exposure, and what controls can best manage the risk scenarios in line with the organization’s appetite and tolerance levels.
Common use cases for our Cyber Risk Quantification Assessments are :
Cyber risk is business risk and all stakeholders should understand the financial impact to the organisation in plain non-technical business language.
Accurately identify and measure cyber risk scenarios in financial terms to improve information security investment decisions.
Using what-if risk scenario analysis, choose the security control solution resulting in greatest risk reduction measured in financial terms. The results might surprise you!
Identify, measure and communicate 3rd party cyber risk exposure from a technical, compliance and financial perspective.
Which cyber risk scenarios should be transferred to an insurance policy? What level of coverage is cost effective and what exclusion clauses are acceptable.
Demonstrate to regulators a consistent, metrics driven, and defendable decision-making process for risk scenario analysis and mitigation choices.
If you want to understand how to easily quantify your cyber risk to improve the cyber security governance and resilience for your organization schedule a 30min executive brief with one of our experts.
Discover all of our solutions