The Beginner's Guide To Cyber Risk Quantification For CISOs & Cyber Pros In Any Size Business
Information is the most valuable resource nowadays, so information theft is on the rise. A successful cyber attack directly impacts business performance and shareholder value.
The data they gather and analyse must provide value and utility to decision-makers within the organisation. Bridging that gap is top priority, and cyber risk quantification is the way to do it.
- What is cyber risk quantification?
- Why should a CISO quantify cyber threats?
- What’s the difference between cyber risk assessment and quantification?
- Why should you show cyber risk in financial terms?
- How can cyber risk be quantified?
- The Boardish Cyber Risk Quantification Framework
- Information security risk quantification – is there a difference?
- How do you determine cyber risk?
- What do you do AFTER you’ve quantified cyber risk?
- How can cyber risk quantification help you show ROI?
- Cyber risk tools: Now CISOs can quantify risk themselves
- Free cyber risk quantification
What is Cyber Risk Quantification?
Cyber risk quantification, in really basic terms, involves analysing and assigning a figure to previously identified cyber risks in order to make decision-making easier. Putting the intangible nature of ‘risk’ into tangible business contexts and financials, helping decision-makers make sense of various risk factors to prioritise and mitigate for the business.
Cybersecurity risk quantification is based on various mathematical and statistical modelling techniques, many of which are similar to techniques used to calculate financial risk. There are various approaches and models used (which we will look at further below.)
The ultimate goal of quantitative risk analysis is to present the risk data accurately and help businesses make informed decisions regarding investments and risk mitigation.
One point to note is that calculating probability doesn’t necessarily help you when quantifying. (we talk about this in much more detail in our article HERE on Why ‘Probability’ is a huge landmine in risk quantification) but the gist is that you’re more likely to be wrong, a lot of the time by relying on probability, than you are if you’re looking at solution effectiveness.
We’ll talk more about this and the Boardish methodology later in the guide (HERE if you want to jump ahead.)
More Resources:
Why should a CISO quantify cyber threats?
There is commonly a gap between the role of the CISO and decision-makers. A CISO must work within the technical realm to create strategy, align with IT managers, CTOs, CIOs, and specialists, but also within the business realm to make decisions that protect business interests and get IT budgets.
The board and decision-makers tend to be focused on questions, such as how much they should spend and whether they are compliant or not. So a CISO needs to be able to transform the technical side of cyber security and information security into this financial language.
It’s a complex and often conflicting role, which is why risk quantification is such a good idea.
Quantifying cyber threats and solutions will help build the business context and guide the board’s focus towards outcomes instead of cutting corners. This brings about a host of benefits:
- They are not focused on how but how well the organisation is protected.
- They have more insight into cybersecurity matters and can understand the presented findings of the report much better.
- Decision-making is improved now that the board can make informed decisions FASTER.
- IT expenditure is communicated better.
- You can show the ROI of your proposed solutions immediately.
What's the difference between cyber risk assessment and quantification?
Cyber risk assessment involves determining the risks pertaining to the business and identifying them, while cyber risk quantification builds a business context around those identified risks.
This transforms the risks from being intangible entities into specific data sets that show business outcomes in case of security events – something the board can work with and base their decisions on.
From a CISO perspective, a risk assessment is necessary for identifying threats to the business, you’ll use this within your internal teams. But quantification is what you use for decision-making, figuring out solution COST-effectiveness, ROI, and risk exposure/mitigation.
More Resources:
Why should you show cyber risk in financial terms?
Because the bottom line – impact on business – is the most important aspect for board members. Where you as a CISO sees risk as an issue, the decision-maker will look at the same risk from the financial perspective and include the financial viability of your solution into it.
For them, it is not feasible to spend thousands on mitigating a risk that you have detected and on being 100% risk-proof if doing so will drive the company into bankruptcy. Besides, nothing can be 100% risk-proof, but the impact can be mitigated greatly.
It’s all about finding that perfect balance between the costs of running a business and the costs of protecting it. Distilling cyber risk into financial figures helps it take its rightful place among all other necessary business functions.
Take marketing as a good example of this. Conversion in marketing is a blanket term that covers many different actions: from newsletter signups, to gaining new followers on social media profiles, to getting new clients. Each of these is a conversion, but each has its own specific value. How much a newsletter signup is worth differs greatly from the worth of a new client, and this worth is also different for each company.
The same should be true for cybersecurity. The need to quantify is there, but it’s been really difficult up until now.
More Resources:
How can cyber risk be quantified?
As we already mentioned, there are a few cyber risk quantification models available including:
- Manual mathematical quantification
- FAIR
- The Boardish methodology
You may have also heard of Octave and NIST but both of these are risk ASSESSMENT models, not QUANTIFICATION.
Let’s look at these models, and the pros and cons in more detail now:
Each of the above-mentioned models has its strong suits and weaknesses, so let’s go over them quickly.
Manual Mathematical modelling for quantification
There are ways to manually and mathematically quantify which involves performing tests and creating a cyber confidence percentage scores but this is incredibly complex and not something we’re going to go in depth with here.
Risk Quantification Frameworks
The Factor Analysis of Information Risk (FAIR) Framework
The FAIR framework is based on the concept that risk is uncertain, and businesses should instead focus on the probability of cybersecurity events.
FAIR Pros: It’s an in-depth model that includes their very own risk taxonomy and technical standards. Its probability-based approach can be applied to any type of asset your business works with.
FAIR Cons: The framework can be very confusing to new and seasoned CISOs as it’s extremely complex and hard to use without any automation solutions, or when trying to use it without help.
But the main issue is that it’s based on ‘probability’ – and the way this is worked out is automated and calculated with their proprietary algorithms based on the data collected. The experiences and expertise of the IT team or CISO don’t play a role at all in this framework.
The Boardish Cyber Risk Quantification Framework
Boardish is a tool that enables CISOs and other IT and cyber professionals to effectively quantify cyber risk into financial figures by inputting the necessary data about their organisation, such as turnover, number of users based on impact, average salaries, and recovery time to get a detailed overview of various threat impacts without solutions and with solutions.
Boardish uses a unique Threat Protection Factor (TPF) methodology, which focuses on the efficiency of the solution and performs cyber risk translation into financial figures based on how well a specific solution mitigates an identified threat.
Boardish Pros: Using CISOs’ experience and knowledge of business operations and the team’s expertise in dealing with company-specific threats can be used in the calculation. Meaning a figure is specific to the organisation and its posture based on real company figures.
There’s no guesswork. You can test its efficiency by inputting assets and risks for a cybersecurity event that already happened and then compare the result to real-world results and manually adjust the solution efficiency to get the same numbers.
It’s fully compatible with the NIST risk assessment framework, meaning you can have full threat identification and detection functionality, as well as quantification.
It’s also much simpler to use as a readily available SaaS tool that doesn’t have to connect to the business so it gives you a snapshot of the now. Perfect for regular IT budgeting.
Boardish Cons: As a quantification and budget communication tool, Boardish only covers the final step of the risk assessment process, where you need to translate your risk assessment for the board or do your own calculations. The dashboard uses visuals and filters to help lay out the risks and communicate with decision-makers.
The risk assessment part needs to be covered with another framework (we recommend NIST)
The National Institute of Standards and Technology (NIST) Cybersecurity Framework
The NIST framework is a guide on assessing and improving the ability to detect, prevent, and respond to various cybersecurity events. It is a result of extensive collaboration within the security industry, and its main purpose is to assess cybersecurity risks by getting a clear view of the current cybersecurity strategy and detecting weak points and areas for improvement.
NIST Pros: It’s detailed and provides implementation tiers that help businesses get from a reactive and unstructured response to cyber threats to a fully proactive approach. The framework’s profile enables your business to see how far off your current strategy is from your ideal cybersecurity strategy and position.
NIST Cons: It doesn’t provide a way to quantify the risks; it only gives you a way to assess risk and your whole cybersecurity strategy.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework
OCTAVE enables you to identify and manage cybersecurity risks but it’s focused more on the operational and informational technology aspect as opposed to cyber security as a main focus. With it, you can identify which data and information are crucial to your business, the threats to that information, and the vulnerabilities that can lead to exposing the information to the threat.
OCTAVE Pros: It’s focused on operational risk and security practices, not technology solutions, to help businesses do a security risk assessment and create unique risk profiles for each asset that they have identified.
OCTAVE Cons: It’s a fairly old risk assessment model which isn’t specifically focused on the cyber security risks of today. For example the three main focuses are from an Organizational view, Technological view and Risk analysis which is a lot more high level than the in-depth framework developed like NIST. Plus, again it doesn’t have quantification and can leave some gaps that you don’t get with NIST.
Information security risk quantification – is there a difference?
Information security is all about protecting the integrity, confidentiality, and availability of information that you work with on a daily basis. While most of this information is in digital form nowadays, information security also covers physical documentation too.
Cybersecurity, however, is about information and data in electronic form and deals with securing it from cyber attacks.
While there is no difference in quantification between information and cybersecurity, with information security, you will be dealing with an additional physical safety component, such as protecting information from theft and protecting buildings where the information/data resides, adding additional risk factors such as natural disasters (floods, earthquakes, etc.) that can destroy and compromise information too.
More Resources:
How do you determine cyber risk?
The process of determining cyber risk requires you to have experience with risk assessment – both methodologies and frameworks – but it’s a joint effort where a CISO should talk with their team members about the possible risk factors pertaining to the company.
The team’s input is an invaluable resource, as they are often your feet on the ground, dealing with cybersecurity events regularly and knowing the current cybersecurity stance and vulnerabilities.
In addition, working together with other departments makes the process of cyber risk assessment and quantification more accurate for your specific business, as each department has valuable information that’s needed in the quantification phase.
As we mentioned before, it’s a balance between business function and protecting the business so you might find one department is more vulnerable than others. For example, the HR department could create a higher risk to the organisation because of the sensitive data it handles and therefore increases GDPR fine risk. Of course there are risk assessment tools you can use to make this process easier too.
More Resources:
What do you do AFTER you've quantified cyber risk?
Once you’re done with quantifying cyber risk, the next step is to take those financial figures to the decision-maker.
As a cybersecurity risk quantification AND IT budget communication tool, Boardish will allow you to inform them about your planned IT budget, risk mitigation, and leftover exposure.
Your IT and cyber budget is not the only one that needs investments and funding, so instead of competing with other functions, work with all of them so you can prioritise risks on a company level together, and see which ones need a solution immediately, and where you can tolerate exposure and for how long.
Don’t forget, decision-makers may decide against your proposals, and it’s their responsibility to accept the liability of the risk.
More Resources:
How can cyber risk quantification help you show ROI?
The main issue with getting approval for your IT and cyber budgets is that there isn’t an easy way to show ROI when you’re dealing with intangible terms such as low risk or high risk. When CISOs try to “sell” their solutions based on probability with no hard numbers, it won’t go well since the board won’t have an actionable report with figures.
But with an IT budgeting tool like Boardish, it becomes really simple to show ROI. In cyber risk quantification terms, ROI is all about risk mitigation.
ROI = How much risk the solution is protecting you from vs. How much the solution costs
CISOs should aim to show that over the long term, the solution cost will outweigh the cost of risk. If it does, the ROI is good. For example, if the cost of the solution is around 1% of the risk that is mitigated – that’s a pretty good ROI.
Now you can show them the cost-benefit report they are used to seeing for every other business function.
More Resources:
Cyber risk tools: Now CISOs can quantify risk themselves
So, why isn’t risk quantification a standard part of the CISO job role? The truth is it’s been aimed at enterprises until now. Previous frameworks and tools are complex that required not just paying for them, but a professional or consultant as well. Quantification has also only recently been in financial figures (money) whereas before it was statistics, and colour coding.
The good news is that, that’s one of the reasons we created Boardish. We’re NOT an enterprise-only solution. It’s an accessible tool that offers every CISO – whether you’re part of a small business or work in enterprise settings – a simplified way of being able to quantify your cyber risk.
Free cyber risk quantification
Boardish is completely free to trial, and use for a limited number of calculations! Sign up below and try it for yourself, no credit card required. Or, to see it in action, check out a recent demo: