# Opener

Can Cyber Risk Quantification be Automated?

Published by Ryan Subers

Automation is a cybersecurity buzzword for good reason

Automation and Artificial Intelligence have been part of information technology for many years, starting with simple batch scripts kicked off to automate a task in the wee hours of the morning to the more advanced robotic process automation. Ask any CISO what they want in their cybersecurity product, and the term automation tends to be mentioned as a must-have.

No matter what the task, we are continuing to look for more ways to leverage new technologies to take the burden off people. Automation and AI have been applied to many processes quite brilliantly across several areas such as log aggregation and event correlation through Security Information and Event Management (SIEM) and building off that with Security Orchestration, Automation and Response (SOAR) solutions. But there are other instances where these technologies have fallen short of promises, especially as the objectives become more complex. The promise of automating cyber risk quantification (CRQ) is one area falling short due to its complexity.

There are certain things in cyber you may not want to completely automate—like CRQ.

Gartner defines CRQ as “…a method for expressing risk exposure from interconnected digital environments to the organization in business terms. Risk exposure can be expressed in currency, market share, customer and beneficiary engagement, and disruption in products or services over a chosen period. Defensible exposure value ranges are determined using a combination of business logic, mathematical models, loss event history, and current risk assessment.” The definition does not instill great confidence that CRQ is a simple and repeatable process—often a prerequisite for a successful automation outcome.

The vendors touting automating CRQ are only considering certain aspects of a much larger process. Most of these tools claiming to provide an automated solution are simply leveraging security scans paired with basic information and industry trends. This is being advertised as CRQ. But it’s selling the process short and can ultimately lead to unfulfilled promises. Because of the relative nascence of the cyber risk quantification market, the product category is still the Wild Wild West. Everybody wants a piece of the pie, and some have been quick to rebrand a limited approach as a complete solution. There are certain things you can’t easily automate when performing cyber risk quantification.

The automated solutions we shall not name may be missing key information such as:

  • the business use of the assets being scanned
  • what the impact would be if these assets were affected by a cyber event
  • cost of the business interruption
  • the recovery time of the business
  • any potential retainers in place with Forensics, IR, Legal, and PR firms
  • the value of potentially exfiltrated data, and other assets that cannot be scanned

All of the above variables are key inputs needed to fully quantify a potential cyber event. So if anyone says their approach to CRQ is “automated” make sure to do the proper due diligence and understand their methodology.

Automated scans are still very useful but should be used as an input to CRQ as opposed to CRQ on its own. Ultimately, CRQ should not be automated, but be bolstered by automation to collect inputs. The scans should be combined with industry trends, and input from the subject matter resources from cyber, the business, legal, public relations, IT, OT, and potentially others based on the scenario. All these inputs together give an organization a defensible quantified view of its risk exposure.

Forrester recently released their first-ever analysis on the CRQ product category. And Axio was  recognized as a Leader in The Forrester WaveTM: Cyber Risk Quantification, Q3 2023 report.

Download the Forrester Wave Cyber Risk Quantification Report to learn more about Cyber Risk Quantification and Axio’s methodology.

Ryan Subers is a Director within Axio’s Cyber Risk Engineering practice. Ryan has over 15 years of industry and consulting experience with integrated risk management and mitigation, cyber risk quantification, information security assessment, and enterprise architecture. He has performed various IT and Operational Technology risk and security assessments in various organizations including electric power generation and transmission, healthcare, manufacturing, finance, and government. He worked as part of the core project team to update the Department of Energy Cybersecurity Capability Maturity Model(C2M2) for versions 2.0 and 2.1.