Cyber Risk Quantification

A global healthcare organization invests in Protiviti’s expertise to improve compliance program effectiveness hero

Body

A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company’s reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber-attacks with strong defenses to identify breaches and minimize damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritized? The answer lies in Cyber Risk Quantification (CRQ).

Cyber risk quantification uses industry leading and highly vetted probabilistic models to more accurately describe the cyber security and technology-based risks facing an organization. Protiviti has been quantifying cyber risk since the beginning. Leveraging Subject Matter Experts (SME), such as business users, asset owners and key technical experts that may not have been previously included in cyber risk assessments; while taking data readily available to these SME’s, we are able to gather data more rapidly and make more accurate measurements for each factor within a given risk.

As a Founding Advisory Partner of the FAIR Institute, and a partner of RiskLens, the leading software as a service based on the FAIR model, the team at Protiviti is comprised of all levels from varying backgrounds, all specializing in quantifying risk. Typical engagements can range from a small scoped engagement, lasting a couple of days, all the way to a full program transformation and even maintenance.

RELATED BLOGS

Panel Discussion on FAIR Methodology Sparks Lively Interest: Key Takeaways

The FAIR methodology has changed the way cyber experts think and speak about risk in a threat environment where they are faced with uncertainty daily. The attendees came together with one common goal – to understand how to better evaluate the cyber risks their organizations are faced with and deliver meaningful and actionable reporting on these risks.

SEC on Cyber Risk Assessments: Show Us the Cost of Your Loss

Last week, an important Securities and Exchange Commission (SEC) Interpretive Guidance, which we analyzed in a Protiviti Flash Report, set the bar for corporate cybersecurity risk assessments. One particular aspect of the new guidance relating to how companies conduct risk assessments and report on cybersecurity risks is the need to understand “the range and magnitude of the financial impacts” of cyber risks and incidents.

Meaningful Cybersecurity Reporting: Measurement That Matters

As cybersecurity concerns grow, leadership is searching for the metrics and insights that matter. At the end of last year, Protiviti sponsored a Cyber Summit in Chicago with speakers from Northwestern Mutual, First Midwest Bank, Zebra Technologies, and ParkerGale Companies. We were also joined by Doug Hubbard, author of How to Measure Anything in Cybersecurity Risk. The talks centered on how cybersecurity metrics can be used to communicate effectively with the board.

Cyber Risk Quantification – Takeaways From the FAIR Conference

Protiviti was once again a sponsor of the 2019 FAIR Conference, hosted by the FAIR Institute, which took place on September 24-25 in National Harbor, MD. Protiviti cyber risk quantification experts Andrew Retrum and Vince Dasta were at the conference to meet with other FAIR experts and answer questions from attendees.

Cyber Risk Assessment: Moving Past the “Heat Map Trap”

Given the limits on time, attention and resources with which every cyber team must contend, risk assessment plays a critical role in helping set priorities and decide between options. Having a rigorous and accurate risk assessment process goes a long way in determining an organization’s cybersecurity performance.

Why is this important

Leveraging quantitative modeling empowers an organization to fully understand the risks they are faced with in business terms. This allows for budgetary justification, re-prioritization and full delivery and support at the highest levels. Implementing a Quantitative Risk Management Program doesn’t need to be a long, tedious or heavy obstacle before truly gaining useful results. Components of a program can be implemented at various stages to make the most impact for each organization. Common projects to accomplish before completing a program transformation are:

Top Risks Identification: Top cybersecurity risk scenarios are identified through an interview and data gathering process to conduct a specialized rapid assessment of each risk scenario. Aggregating contributions from security tools and teams along with key business leaders and stakeholders allows for quantification of top risks in business terms.

Tactical Risk Quantification: Tactical analyses can be done to identify risk exposure to a given scenario or multiple associated with a given asset. Objectives such as ROI or risk tolerance levels can be achieved, especially when conducted in parallel with the broader program initiative. Once these are identified, a thorough analysis is completed, leveraging data as well as SMEs and business leaders.

Risk Aggregation and Trending: Aggregation can be used to identify systemic risk exposure around any number of scenarios (i.e. assets, control changes or initiatives that may change the risk exposure, departments, programs, or even an organization as a whole). Trend reporting can be done any time to show the change in loss exposure over time allowing organizations to show risk reduction ROI.

Program Advisory: The key to a successful risk quantification program is scale and sustainability. Protiviti can help with all aspects of a risk quantification program from defining initial program goals, socialization and training to operationalizing risk quantification within your organization by identifying use cases and implementation of changes across the organization to derive value from this new capability.