Cyber Risk Quantification: A New Way to Understand Security Risks
Digital fraud and cybersecurity risks are always with us, and they’re constantly changing as businesses open new channels and adopt new technologies that criminals work to exploit. Data breaches are an especially thorny problem, with millions of customer records breached every year, and even password managers becoming vulnerable targets. Fraud continues to increase year over year, with identity fraud and fraud-related scams leading to $52 billion in losses in 2021 in the U.S. alone.
Meanwhile, hybrid work policies, automation and IoT implementation, social and metaverse commerce and other trends are adding complexity to the technology and channel attack surface. All of this is happening while companies face a continued shortage of cybersecurity talent and are re-evaluating their spending in light of slowing global economic growth. Security and risk management leaders need to identify the specific risks their companies face and communicate those risks in a way that other stakeholders can understand to justify technology and talent investments.
Cybersecurity Risk by the Numbers
Increasingly, security executives are using cybersecurity risk quantification (CRQ) to understand their holistic risk profile. CRQ can aid in planning security improvements to prevent data breaches, compliance penalties, fraud and lost customer trust. It can also provide the metrics that leaders may need to demonstrate to board members and the C-suite the risks of underinvestment in security.
CRQ is an activity described by Gartner as “any risk assessment that measures risk exposure and expresses it in financial or business-relevant units.” CRQ can be as simple as a scale that ranks the likelihood and potential cost impact of specific risks. It can also be quite complex, with AI-enabled statistical modeling and ongoing risk analysis. Forrester describes the variety of CRQ approaches as “anything from a threat heat map to a 5×5 grid to a list of the latest threats with a flowchart of how the firm is addressing them.” By 2024, 68% of security decision-makers plan to implement CRQ that uses AI and ML.
Regardless of the specific method used, CRQ can help bridge one of the most widespread issues that security leaders face: A lack of C-suite understanding of an organization’s cybersecurity risks and their potential financial consequences. In 2021, just half of IT leaders thought their organizations’ executives “completely understand cybersecurity risks.” By quantifying risk in a way that allows for the creation of benchmarks and KPIs, CRQ can help IT leaders show the value of security investments and present those investments as ways to protect and even drive growth. As Deloitte’s 2023 Global Future of Cyber Survey says, cybersecurity is “becoming an essential part of the framework for delivering business outcomes.”
Understanding Existing Cybersecurity Risk Frameworks
Leaders who want to implement CRQ have a variety of frameworks they can choose from. Factor analysis of information risk (FAIR) is the best-known option, and it expresses risk “in financial terms” to give all stakeholders a common way to understand and talk about risk.
This approach differs from existing qualitative risk management frameworks. The NIST Cybersecurity Framework (CSF) is a federally sponsored rubric for evaluating risk across organizations. Federal agencies are required to assess their cyber risk with this tool, but organizations in other industries have adopted it voluntarily, particularly within critical infrastructure and manufacturing. Other frameworks like those published by ISACA and MITRE can also help with comprehensive risk identification but don’t express it in dollars.
All of these frameworks require lots of data and time to deliver useful results, which can be a daunting prospect for IT leaders whose teams are already stretched thin. The time involved can also undermine the impact of the framework findings because real-time data is the preferred resource for decision-making.
Applying New CRQ Solutions
New CRQ vendors offer a way to gain risk insights faster by automating data collection and analysis. Forrester describes several optimal use cases for CRQ tools, including quantifying existing risk, describing ROI of current security investments, prioritizing risk remediation and building the case for new investment. The analyst firm also describes the CRQ space as emergent and dynamic, with most products “in the prototyping phase.”
Because the space is relatively new and changing quickly, Forrester recommends choosing CRQ solutions that support specific use cases rather than trying to find a one-size-fits-all provider to handle holistic risk quantification. Any proof-of-concept should focus on a single use case in order to prove value related to one decision that needs to be made. From there, it may be possible to expand use cases with the same vendor, run another proof-of-concept with a different vendor, or choose another vendor for a different use case.
Data from each quantitative analysis can be used to establish benchmarks for progress in terms of risk reduction and ROI, so IT can track and report progress. As CRQ solutions become more mature and comprehensive, security leaders will have more options to evaluate and describe risks, make plans to reduce those risks and make the case for investment that protects their organization.