Measuring Cyber Risk Quantitatively — Eliminating the Guesswork

Cyber Risk Quantitatively
Measuring Cyber Risk Quantitatively — Eliminating the Guesswork

The Benefits of Leveraging FAIR


The subjectivity of traditional cyber risk assessment processes can generate scores that are sometimes difficult for business owners and managers to accept. Often, the risk scores are subject to wide interpretation, generating more questions than answers: Is my “medium” someone else’s “high” score? Does a high score accurately reflect a lower risk exposure?

Often, the risk scores generated from a traditional cyber risk assessment process is subject to wide intepretation. Analysts typically develop scores using a risk assessment template with predefined risk factors. This one-size-fits-all approach can produce inconsistent results.

Even when the underlying assessment is performed correctly, a low score may not sit well with a business owner or manager who is uneasy with the assessment process. This is especially true with the traditional approach, where analysts develop scores using a risk assessment template with predefined risk factors. This one-size-fits-all approach can produce inconsistent results.

There is a more effective, informative method for analysing cyber risk that exposes specific actionable information about measuring and mitigating risk. Factor Analysis of Information Risk (FAIR) is a sophisticated, sensitive and substantive approach to analysing risk.[1] The end result of FAIR is not a score of high, medium or low but rather a quantifiable measure of the financial effects of unknown cyber risk over time. FAIR can then be used to weigh any cyber risk against an organisation’s risk profile or the variance between its risk appetite and the degree of risk that can be tolerated.[2]

The FAIR approach also considers the impact on additional parties or stakeholders. For example, when used to analyse a cyber breach, FAIR will access not only the direct impact to an organisation but also the trickle-down effect from regulatory fines and potential loss of business due to customer defections. This model aligns with the recent focus on understanding the broader impact of operational disruptions or outages on financial institutions — a concept financial sector regulators have referred to as “impact tolerance.”​

Protiviti is engaged in high-level conversations with numerous organisations about using FAIR to better assess impact tolerance.[3] In this paper, we discuss the use of FAIR for cyber risk analysis. However, FAIR can also be applied to operational and conduct risk analysis. In future papers, we will focus on the use of FAIR in those specific areas.

What is FAIR?

FAIR applies the Monte Carlo statistical analysis method to help businesses measure and manage information risk[4]. The Monte Carlo simulation can respond to questions such as, “How long can the business survive this risk event?” and “If we take a particular risk reduction measure, what risk reduction can we actually achieve?” It is used to analyse highly uncertain data and to understand the impact of risk in a variety of contexts, including financial risk, project risk and others.

The FAIR method of analysing risk has been tested in organisations since 2001[5]. It can be used in con-junction with other risk frameworks such as ISO 31000, COSO, COBIT, and NIST CSF[6]. The Open Group, a global consortium that enables achievement of business objectives through vendor-neutral technology standards[7], has chosen FAIR as the international standard information risk management model for understanding, analysing and quantifying information risk in financial terms.[8]

The following is a summary of the gaps in traditional cyber risk assessments and why a growing community of risk professionals continue to support adoption of FAIR:

  • Many traditional methods prescribe the need to quantify risk but mostly leave it up to practitioners to figure it out. FAIR allows organisations to quantify the cost of service unavailability in probabilistic terms.
  • In the traditional approach, the likelihood and severity of risks are subjectively rated, resulting in loss of actionable information. With FAIR, specific threat scenarios against individual assets, like a malware attack orchestrated by a nation-state intelligence service that results in the theft of customer financial information, can be measured.
  • Traditional cyber risk scoring can create hazards of its own by implying certainty where no certainty exists, and by miscategorising threats. The consistent and logical terms and definitions that make up FAIR’s ontology can significantly improve the quality of risk-related communication within an organisation and between organisations.
  • FAIR is complementary to other risk assessment models or frameworks and can be used to improve the quality of other traditional model results.

Based on FAIR, organisations can take certain business decisions or actions, such as:

  • Quantify the organisation’s resilience for various business services.
  • Select the most effective risk management initiatives based on projections of cyber resilience project outcomes.
  • Validate and demonstrate the effectiveness of cyber resilience measures based on FAIR’s cyberrisk analyses conducted over time.
  • Improve board reporting[9] by quantifying the return on cyber resilience investment.[10]

Deeper Analysis Drives Confidence

When an organisation employs FAIR to quantify cyber risk, there is less room for misinterpretation. As previously mentioned, decision-makers and analysts understand one another better by using probabilistic language and a common taxonomy of risk. Any risk management decision can be challenged and defended in this common language. By decomposing risk into its factors, FAIR provides information to support decisions, and the organisation develops an understanding of how cyber risk management efforts and investments impact its overall risk profile.

Also, with FAIR, an organisation is better positioned to evaluate a variety of possible threats and to calculate the effects of operational resilience measures with greater confidence. For instance, once the organisation uses FAIR to establish its risk tolerance window, it can also use FAIR to evaluate the return on investment for various operational resilience procedures and subsequently prioritise its corrective actions accordingly.

Furthermore, because FAIR involves deeper analysis encompassing more diverse stakeholders, organisations can evaluate loss impacts to a stakeholder group or consider all stakeholders in aggregate to comprehend the total cost of an event. These evaluations help identify stakeholders with the least ability to withstand an event, which enables the organisation to set impact tolerance thresholds with the most vulnerable stakeholders in mind.

Finally, the calculations undertaken in a FAIR cyber risk analysis also support a variety of data visualisation techniques, which can be refined and customised to address an organisation’s reporting needs. Charts that show costs over time help leaders visualise the potential outcomes of their decisions.

Decision-makers and analysts understand one another better by using probabilistic language and a common taxonomy of risk. Any risk management decision can be challenged and defended in this common language. FAIR provides information to support decisions, and allows organisation to develop a better understanding of how cyber risk management efforts and investments impact its overall risk profile.

Sophisticated and Sensitive Cyber Resilience Decisions — A Case Study

A multinational consumer financial services firm wanted to improve its understanding of cyber risks and gain greater insight into how effectively certain mitigations and controls being considered would contribute strengthen cyber resilience.

The firm’s management started by socialising FAIR concepts among the cybersecurity functions and other internal groups to establish a FAIR team. To support its adoption of FAIR, the organisation provided workshops and training for the core team and presentations for other stakeholders.

The FAIR team then held a workshop to assess threats to the organisation’s critical business services. Rather than viewing this exercise system by system, the team broadly examined each business service, carefully weighing impacts to different stakeholder groups, including the system administrator who handled the initial trouble call to the end consumer who was unable to use her debit card. This exercise produced an inventory of threats to analyse. Their scope included systems and services already in place as well as all proposed and in-flight initiatives.

The team then identified all the FAIR loss event scenarios. In FAIR terminology, loss event scenarios are threats against assets of business value, not just IT assets, that could result in losses. Loss-event scenarios could include any event that might interrupt or compromise business services, like natural disasters, cyberattacks, data breaches, and ransomware, among others. The loss event scenarios identified can be used to conduct a deeper analysis.

Next, the team analysed each loss event scenario in greater detail. Decomposing each loss event scenario enabled the team to see how it would impact stakeholders. The FAIR approach to analysing cyber risk provides a standard taxonomy and ontology for risk, which shows relationships between concepts in a branch structure.

The FAIR Risk Ontology — A model of how risk works by describing the factors that make up risk and their relationships to one another. These relationships can then be described mathematically, which allows us to calculate risk from measurements and estimates of those risk factors.

The team found this decomposition to be a useful approach to its analysis because it permitted a more granular understanding of data that could also be aggregated as they saw fit.

The ontology also helped the team evaluate each loss event scenario in multiple dimensions — anticipated frequency of a threat and a service’s vulnerability to that threat, as well as the magnitude of any loss — measured in financial terms. Losses included primary ones directly attributed to each loss event scenario (such as incident response and lost business productivity), as well as secondary losses (e.g., time spent responding to inquiries about the loss event, potential fallout from regulatory response and loss of customers and future business). All losses were quantified as anticipated costs.

FAIR prompted a thorough analysis by disclosing all forms of loss that could result from a loss event scenario, including lost productivity, replacing a system or service, the cost of responding to a loss event, reductions to the organisation’s competitive advantage, damages to the organisation’s reputation, and fines and judgments.

Loss Exceedance Curve — The Monte Carlo simulation can be used to produce loss exceedance curves, which describe the impact and likelihood of a cyber event. Below is an example of a loss exceedance curve.

Now supplied with an understanding of potential losses in terms of financial costs, the team was ready to establish target risk parameters for each service. These parameters were measured in time but translated directly to costs. The team worked with leaders to establish the recovery point objective (RPO) for each service — the acceptable duration of a loss event scenario. They also used FAIR simulations to determine the recovery time objective (RTO) — the duration that each service could remain unavailable before business operations were significantly impaired. They calculated the maximum tolerable period of downtime (MTPOD), after which the organisation’s viability would be threatened to the point of possibly never resuming. The costs associated with the MTPOD were the organisation’s stated loss capacity. This exercise also considered the timing of a loss event scenario; the team acknowledged that costs would be different if the event occurred, for example, on a Sunday morning versus a payday afternoon.

By using FAIR methods, the team completed an analysis that determined whether — and for how long — the losses calculated would be sustainable. The analysis provided answers to these complex questions:

  • How long before unavailability of our consumer debit card services exceeds what we’ve defined as an acceptable loss?
  • If, at 16 hours of downtime, we would have a 20%chance of losing $100 million, would a $15 million cyber resilience initiative be a good investment if it would reduce those losses by half?

The insights the organisation gained stood in stark contrast to the traditional risk assessments that previously had guided its decisions. Now, management had objective numerical data to:

  • Establish the organisation’s risk management priorities
  • Select the most effective cyber resilience-oriented projects
  • Measure projects’ effectiveness post-implementation
  • Report on overall cyber resilience portfolio effectiveness to their executives and board —and to regulators.

“This kind of in-depth analysis is like gold,” said one senior executive at the firm. “The exercise was extremely rigorous, and we stand on firmer ground now that we really know where the threats are and how best to invest our cyber resilience dollars.”

How to Win With FAIR

Quantifying the numerous risks faced by your organisation will help prioritise efforts, support your decision-making and refresh your organisational priorities. Shifting from a controls-focused orientation to a business risk orientation — and optimising cyber resilience frameworks based on FAIR — may demand special effort to spur and strengthen adoption. Organisations contemplating whether to implement FAIR should consider how they would manage a significant change to the well-established risk assessment approach. Conducting training, workshops and presentations for decision-makers, cybersecurity professionals and business stakeholders will support the organisational change required for success with FAIR.

Proper presentation of results is another important aspect of the overall FAIR cyber risk analysis process. Firms will have the opportunity to replace legacy PowerPoint decks and spreadsheets with interactive, data-driven reports and dashboards. Larger organisations with a higher degree of complexity should consider specialised data marts to collect, process and store relevant metrics for analysis and reporting. The benefit of effective presentation is twofold: It helps everyone in the organisation understand their overall risk profile, and it underscores dramatically the value achieved via an organisation’s investment in FAIR.


Cyber risk is best evaluated through a probabilistic, quantifiable approach like FAIR, which allows organisations to understand potential financial outcomes from rigorously evaluated loss event scenarios. Understanding the point at which a loss event will exceed the organisation’s risk threshold or capacity to sustain those losses would put decision-makers in a better position to make well-informed decisions and make more impactful investments to mitigate cyber risk.


Ready to work with us?