I was introduced to the concept of cyber risk quantification when I first started working with information risk factor analysis or the FAIR model (see a diagram of the model here). With this model, an analyst can estimate cyber risk in financial terms (i.e. dollars and cents). In FAIR-based risk analysis, the measure of risk does not translate into a “score” or “rating”, but into a range of monetary losses the organization could face from a given scenario. over a given period, usually the following year. In the FAIR definition:
Risk = Likely Frequency and Likely Magnitude of Future Loss
Risk at its highest level in the model is made up of two variables, the frequency of loss events and the magnitude of losses. If we are able to accurately estimate how many times a loss event will occur and how much we can expect to lose each time, we can infer the level of risk we have from the analyzed scenario.
The model further decomposes these two factors into sub-components that can be estimated based on information gathered from subject matter experts or industry data and then pieced together into accurate overall estimates of frequency and prevalence. amplitude, the amplitude being expressed in dollars and cents.
Rachel Slabotsky, Director, Professional Services, explains the FAIR model that makes cyber risk quantification on the RiskLens platform accurate, reliable and defensible.
Apply FAIR to a cyber risk scenario
Let’s walk through an example of how a cyber risk scenario can be broken down using FAIR:
Script: Analyze the level of risk associated with cybercriminals breaching personally identifiable information (PII) from a ‘crown jewel’ database
The FAIR model helps us break down the question “How much risk do we face in this scenario?” Defining a scenario requires:
- An advantage: database of crown jewels containing PII
- A threat: cybercriminals
- An effect: loss of confidentiality
Without these three clearly identified components, cyber risk cannot be measured accurately.
In this example, industry data and best available internal data from subject matter experts were obtained at the model’s threat and vulnerability event frequency factors. Data were collected to estimate the minimum, maximum and most likely values and the analyst’s level of confidence in the most likely value (note: only the minimum and maximum values are shown for illustrative purposes) .
Providing a range of inputs allows the analyst to account for uncertainty in the data – which helps address a limitation of traditional heatmaps, where there is a tendency to gravitate towards the worst case since analysts are forced to choose a specific value (e.g. red, yellow, green). Resultant loss event frequency values (i.e. the estimated number of times over the next year that cybercriminals successfully breached IPIs in the Crown Jewel database ) are generated by running a series of Monte Carlo simulations to capture probabilistic results based on the provided data.
The data gathered from the magnitude side of the model is used to determine the amount of monetary loss the organization will directly suffer each time a cybercriminal is able to successfully breach PII in the Jewel’s database. the crown (Primary Loss) and the additional amount of loss due to the reactions of external stakeholders to the breach (Secondary Loss). Since the reactions of external stakeholders may not be guaranteed, the model takes this into account by estimating the probability that the organization will incur additional losses from stakeholders (frequency of secondary loss events).
Using the FAIR model, we are able to take the above estimates for each of the risk factors so that we can derive estimates of annualized loss exposure by running thousands of Monte Carlo simulations on the RiskLens platform. Below is an example of the resulting probabilistic statements of the amount of loss the organization is likely to incur, as illustrated by a loss exceedance curve. This curve shows us, for example, that it is very likely that the organization will lose $10 million or more because of this scenario over the next year. The chart below shows the results for the 10th and 90th percentile loss exposure and the mean (or most likely).
Analysis results from the RiskLens platform
Instead of mental models that vary by analyst, using the FAIR model allows analysts to produce consistent, repeatable results that are defined in business terms. When CISOs/CIOs start speaking the same language as executives, line-of-business leaders, and other stakeholders, they can begin to answer questions such as:
- What are the main cyber risks of the organization and what degree of exposure do they represent?
- Which investments in cyber risk management are the most important?
- Are we investing enough (or too much) in cyber risk management?
- What is the risk reduction return on investment for any mitigation
- What is our exposure to losses relative to our risk appetite?
RiskLens automates quantitative FAIR cyber risk analysis
The RiskLens platform speeds up analysis with these features and functions:
- Guided risk assessment workflow based on FAIR.
- Pre-packaged risk scenarios and benchmark data for quick risk analysis on the most common use cases: reports on top risks, emerging threats, prioritization of security investments, and more.
- Integrated risk quantification engine for Monte Carlo simulations.
- Portfolio management to track and manage risk in almost unlimited variations – by business unit or entire company, geography, revenue stream, type of cyberattack and more, continuously updated.
- Risk reports in easy-to-understand financial terms for non-technical business owners.
Contact us for a demo.
*** This is a syndicated blog from RiskLens Resources’ Security Bloggers Network written by Rachel Slabotsky. Read the original post at: https://www.risklens.com/resource-center/blog/what-is-cyber-risk-the-fair-definition