March 20, 2024
Cyber Risk

Common Misconceptions about Quantitative Cyber Risk Management

Yes, you can find the people and resources – and gain the benefits of CRQ.

By Zoran Todorovic

It goes without saying, cyber risk dominates not only the headlines in the media, but board meeting agendas, risk register discussions and most notably the mindshare of most, if not all, technology executives, especially in an ever-changing regulatory environment.

It's no surprise that an unrelenting amount of risk assessments are common practice across many organizations, and the first misconception is that it's often for the purposes of managing hazards. This might be true for many, but it's also about unlocking hidden opportunities.

Some of these opportunities look like:

  1. Better protection for high value assets
  2. Negotiating cyber insurance coverage from a position of strength
  3. Enabling your non-technical board members to participate in risk treatment decisions

Just the reference to 'quantitative risk management' can evoke a sense of complexity, expense, subject-matter expert effort and more difficulties. This is no longer the case.

The purpose of this blog post is to explore some misconceptions about deploying a quantitative approach to cyber risk management and how we can all get started to leverage some of the opportunities that it can unlock.

Misconception #1: We don’t have the resources to do this

There is no secret here, you do need people.

The good news is, you already have them, but they are probably spending most of their time chasing data for risk assessments, not actually doing risk analysis.

On average, enterprise customers can complete a single risk assessment in 6-8 weeks. Given this timeframe, you cannot run many in parallel, and by the time you have completed the assessment, the information will be out of date.

So how do we put our existing resources to better use?

By using next generation automation to scale cyber risk assessments effectively, you can repurpose the time it takes to commission a single risk assessment and instead onboard unlimited risk scenarios for an unlimited number of groups resulting in real time risk analysis all year round. Too good to be true, see for yourself?

Misconception #2: It takes too much effort and is too time consuming

This is a common response from many cyber risk leaders already challenged by conflicting priorities and compounded by the fact that early adopters of risk quantification methodologies like FAIR discovered that it was very time- and resource-intensive to quantify cyber risk.

To the industry's delight, the creators of FAIR have now removed this barrier to cyber risk quantification and management by enhancing the capability to deliver automated FAIR.

This means that it does not take nearly as much effort and is certainly not as time consuming to scale FAIR across an organization to now leverage:

  1. Consistent risk monitoring with over 100+ integrations into tools you already use.
  2. Out-of-the-box risk scenarios to get you started quickly.
  3. Industry data built-in with loss-event probabilities, technique weightings, industry benchmarks, etc.

There is now a solution to the problem for those interested in overcoming the time and effort misconception.

Misconception #3. The board and executives aren’t asking for/couldn’t handle quantitative risk reporting

Boards and business executives who often have extensive industry expertise are not always necessarily technical. This can be true for pure technology businesses as well.

Our obligation as an industry and community is to ensure we provide the people who make significant decisions about the future and direction of organizations every day, the appropriate data to help support the decisions they need to make.

Incident counts, vulnerability management stats, phishing simulation results, the media making a mockery of the latest ransomware attack on our nearest competitor are not helpful in any way in supporting decisions.

By contrast, providing a quantified and objective financial risk for a specific loss event on a high value asset that the organization cares about, is very helpful.

But here’s the clinching argument: Every other business or functional (Finance, Sales, etc.) unit of the company reports results in quantitative, financial terms. They would never dream of going into a board meeting to describe their risk level in red, yellow or green based on cyber metrics – yet the traffic-light reporting is still common in cybersecurity. Now, it’s true that if your board or management has grown used to traffic lights, you can ease them into quantitative by using colors to express ranges of the underlying numbers (for tips on making the transition, see this blog post 4 Steps to a Smarter Risk Heat Map).

In summary

These misconceptions linger mostly due to lack of awareness of the recent advances made by a new category, cyber risk quantification and management, purpose-built to solve the ever-changing problem regarding cyber risk and enable a safer digital future for all.

A simple call to action can address the misconceptions:

  1. Resources can be supported by automation to deliver significantly more output for the same input. SAFE has built automation for this.
  2. Repurpose your limited effort once to build an ongoing and consistent risk assessment process. SAFE + FAIR have built out-of-the-box risk scenarios to achieve this.
  3. If you think the board and executive team would not appreciate quantitative reporting, put a risk dollar amount in front of them instead of incident count or other cyber-specific metric, and see which one they would prefer. SAFE has built a dynamic dashboard for this.

If you want to take your first step to improving your cyber risk management program, we would be delighted to help. Request a demo!