Decisions around cybersecurity spending are one of the top challenges facing business leaders as cyber-attacks grow in both scale and frequency. Even the best security tools and unlimited funds cannot guarantee protection from hackers, and the need for cyber resilience continues to climb. In the current threat environment, split-second decisions can be the difference between a business surviving and a business shutting down, and many organizations have turned to cyber risk quantification (CRQ) to measure and act within their cyber risk landscape.
As a decision-making aid, CRQ can be a powerful tool for CISOs and execs to translate a wealth of data into financial terms. However, CRQ based on the FAIR method (Factor Analysis of Information Risk), has a history of causing headaches for security professionals because it often leads to excessive implementation times and high project costs. With its over-emphasis on probabilities, we’ve seen firsthand how the FAIR approach can sometimes, but not always, bog down many CRQ initiatives, giving CRQ itself a bad name. Here, we’ll help you identify whether you’re suffering from “FAIR fatigue” and how you can oust its negative impacts from your cybersecurity risk management strategy while preserving the many benefits of CRQ.
Many CRQ vendors prioritize the FAIR approach, but it can get out of hand without appropriate project scoping. In a recent report, Transform Cyber Risk Management with Cyber Risk Quantification: Board Cyber Fatigue Requires a Fundamental Rethink and Revolution in Cyber Risk Management, Forrester Research calls out how the FAIR approach can unnecessarily complicate the CRQ process. They note that FAIR is a leading method in the CRQ space, but “it is not the only approach to CRQ.” The value of CRQ is its ability to reduce uncertainty around decisions, but an overreliance on probabilities often yields unusable information. The FAIR methodology is obsessed with fine-grained probability estimation that yield a false sense of certainty.
We will never drive cyber event probability to zero; as long as the probability is non-zero, an organization must endure the impact to survive. At Axio, our CRQ approach focuses on modeling all categories of scenario impact. We supplement that with an uncomplicated method for estimating the core aspects of probability, which is supported by internal and external views of the organization’s cybersecurity posture. This impact-driven approach quickly identifies critical financial risks and adds immediate value by:
- Demonstrating impact estimations from “zero to sixty” – significant impacts immediately become apparent
- Applying an iterative process to provide a continuous flow of information without diluting its precision or value
- Delivering initial estimates that allow users to focus on those large impacts and “not sweat the small stuff”
Many risk quantification methodologies require a lot of resources (including time, personnel, and money) to operate smoothly. Inefficient use of resources can make your quantification program ineffective and non-viable. For smaller businesses, this can make CRQ untenable altogether. Often, this is the case with asset-focused methods, like FAIR, which quickly become bogged down in the combinatorics of creating separate scenarios for each chain of asset events that can be leveraged to accomplish a cyber risk scenario. As one of our client’s said, “We don’t need to build 6 or 8 different models for ransomware based on various asset compromises that could lead to ransomware. We want to understand the potential impact to our business so that we can prioritize our risk management efforts.”
Axio360 CRQ is easy to use and scale because it focuses on cyber risk scenarios that could negatively impact the business instead of the combinatorics of asset-level compromises. Understanding asset vulnerabilities is useful, but our scenario-based CRQ method can help you avoid common pitfalls such as:
- The substantial amount of work needed just to see initial value/ROI in your CRQ project
- Promoting unreliable or misleading risk numbers (despite the amount of time and work you’ve put in)
- Dependence on unavailable information, such as what attackers are doing or what their future attack patterns will be.
Understand your advantages
Also in its report, Forrester dubs CRQ the “Rosetta Stone for Security And Business,” a notion we’ve expounded in Getting the Board Game Right, our Board of Directors Guide to Making Informed Cybersecurity Decisions. It’s imperative that board members take an active role and remain informed of security incidents and how they could affect their company’s financial interests. CISOs, as well as non-technical decision-makers, must be able to identify the biggest risks to their business and how they translate into financial terms. Not all risks are created equal, and proper prioritization is integral to success. With this in mind, scenario-based risk assessment has several significant advantages over asset-based risk, including:
- Considerably less time-to-value, less amount of work needed to assign values to all assets in a business value chain
- Alignment between cyber risk, your unique business objectives, and the value chain
- A clear process for developing scenarios, which allows for the discovery of threats not previously identified
When done right, Forrester notes, CRQ supports many use cases and delivers actionable results. If you’ve tried CRQ and found it cumbersome, daunting, or an expensive waste of resources, chances are you’ve been ensnared by the constraints of an asset-based only approach. The new CRQ market provides a practical solution compared to historical/FAIR CRQ. These legacy solutions are outdated and inefficient. Don’t let yourself get bogged down with probabilities. Instead, before you cast CRQ aside altogether, contact our Sales team or sign up for a free demo to learn how you can successfully leverage CRQ using risk scenarios and business impact.