February 07, 2024
Cyber Risk

5 Steps to Improve the Defensibility of Cyber Risk Reporting

When the board challenges your cybersecurity risk assessment data and methodology - be ready.

By Zoran Todorovic, Regional Sales Director

Our experience shows us that board members and risk executives are using 'defensibility' as an effective lever to improve the quality and context of cyber risk posture reporting they receive to aid in decision making.

The Collins Dictionary set the tone clearly by defining 'defensible' as: an opinion, system, or action that is defensible, is one that people can argue is right or good.

So, what does 'right' and 'good' look like in cyber risk assessment?

To know what makes a cyber risk report more defensible, we need to take a closer look at examples of questions that boards, and risk executives use to test defensibility, such as:

  1. Are we looking at the right type of data?
  2. Do our risk assessments use real time data?
  3. Is the data collection process continuous?
  4. Is the risk assessment methodology consistent among reports?
  5. Is the data represented in a way that is relevant to our business priorities?

These questions cut through the complexity of the cybersecurity landscape and uncover the impact of your top cyber risks on the business. The added upside here is the compounding effect created by combining the right data, in real time, on an ongoing basis, using a consistent method, aligned to business context. This is the essence of cyber risk quantification (CRQ).

Industry analyst Forrester also confirms the notion that “Cyber risk quantification (CRQ) will fundamentally revolutionize the way security leaders engage with boards and executives to discuss cybersecurity”.

At the forefront of this new and emerging category is Safe Security, the AI-driven cyber risk management company bringing together the world's most advanced cyber risk quantification based on Factor Analysis of Information Risk (FAIR™), with the world's most advanced AI-powered automated cyber risk management platform.

So here's how the Safe Security platform uses FAIR to help you get started.

5 Quick Steps to Improve the Defensibility of Your Cyber Risk Reports
  1. Use automation to collect, analyze and represent quickly and continuously.

    Calculating the impact of any type of cyber risk is complex due to such a vast range of contributing factors.

    You will want to understand the cumulative result of control coverage and effectiveness, configuration status, vulnerabilities, prior probabilities, and the list goes on. Automation can do all the heavy lifting.

    Automation helps you speed up the data collection process, allowing for consistent and scientific processing of the data, while dynamically representing the information in way that is useful for various stakeholders.

    So, ditch the manual spreadsheets and endless man hours which only produce inaccurate assumptions anyway and embed automation at the heart of your management program.

    Tip: SAFE Security has the largest API repository in the industry, uses data science to consistently process and data and sets a new benchmark for automation in cyber risk.

  2. Use a standard risk model recognized by the industry for cyber risk assessments (FAIR)

    Factor Analysis of Information Risk has revolutionized the practice of cyber risk analysis and is widely adopted as a gold standard for cyber risk quantification.

    With a community of over 15,000 in the non-profit FAIR Institute representing 50% of Fortune 500 companies and over 10,000+ trained practitioners, FAIR is the leading taxonomy and quantitative risk analysis model for cybersecurity and operational risk that helps cybersecurity, risk management and business executives measure, manage and communicate risk from the business perspective, in financial terms. Safe Security is the Technical Adviser to the FAIR Institute.

    The FAIR quantitative risk analysis model defines risk management as "the combination of personnel, policies, processes and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure."

    Tip: SAFE Security automates FAIR within the platform and all loss frequency and magnitude for risk scenarios is powered exclusively by FAIR.

  3. Conduct risk assessments by business unit or critical apps for more targeted insights and recommendations

    To make cyber risk relevant to business, it needs to be expressed in the language of the business So the first step is defining the asset (application, business unit, specific production site) and the attributes of that specific asset. A risk assessment on the availability of an ecommerce platform prone to DDoS is going to be different from a risk assessment on a data breach for a health insurance company.

    The FAIR methodology is a great place to define the scope of risk assessments which should initially focus on what the company regards as crown jewels. It provides the process for considering a risk scenario: Threat --> Asset --> Impact.

    Tip: SAFE Security builds specific risk scenarios for each business unit or other group in a matter of clicks.

  4. Use common cost drivers across all scenarios to provide a consistent projection of loss magnitude

    The FAIR Materiality Assessment Model (FAIR-MAM™) is a new standard in quantifying loss in financial terms for cyber events. It is an open cybersecurity cost model that any organization can adapt to its own cost structures.

    The Model is a bottom-up and fully-tunable. It is designed to enable Security and Risk leaders to present defensible, company-specific quantified cyber risk to stakeholders, including the C-Suite and Board of Directors.

    The Safe FAIR-MAM Module is based on the Mutually Exclusive and Comprehensively Exhaustive (MECE) principle to enhance clarity and avoid repetition in attack cost calculations. It has multiple cost categories and subcategories to accommodate all types of cyber losses. To keep it simple, it has 10 primary cost modules (Business Interruption, Proprietary Data Loss, etc.) which can be customized, allows you to assess top cyber risk scenarios and is legally defensible to help satisfy regulators.

    Tip: SAFE Security has launched the Industry’s First Implementation of FAIR-MAM.

  5. Use objective risk data to help shape risk transfer strategies.

    It is well known that the cyber underwriting process has been largely unscientific up to this point, but this is rapidly changing.

    A great example: In 2023, Mosaic launched a next generation global primary cybersecurity coverage offering with a pioneering partnership with Safe Security to embed real-time cyber-risk data into its underwriting process.

    The SafeInside Cyber Insurance Assessment is designed to enable enterprise decision-makers to continuously manage their cyber risk exposure and cyber insurance requirements through actionable, financially quantified cyber risk decisions.

    Tip: Mosaic rewards an organization’s investment in security solutions through premium-rate incentives.

Putting It All Together on CRQM

In summary, if you need help with:

  1. Automating cyber risk assessments
  2. Introducing a standard risk taxonomy across the business
  3. Getting visibility into top cyber risks for crown jewels
  4. Understanding the financial impact of your top cyber risks.
  5. Or how to effectively transfer risk to cyber insurance.

Download our Starter Kit to help you "ace your cyber risk reporting for the board."