Cyber risk quantification for chaos management This blog post was authored by Daniel Stone - Director, Security and Privacy on Protiviti's technology insights blog.The most important use of any risk assessment tool is that it must contribute to better decision making on how to manage individual risks. Whether that is treating and reducing risk, or accepting that risk exists, risk management activities must ultimately help management make better decisions. Executives and risk management leaders, though, are increasingly faced with risk decisions they have imperfect information to address, particularly in the form of “black swan” events.The term “black swan” event was originally coined in Nassim Nicholas Taleb’s book, The Black Swan: The Impact of the Highly Improbable, which set the original criteria for these wildly unpredictable, yet highly impactful events, as:it must be surprising and unexpectedit must have a major impact, andwith the benefit of hindsight, it can be rationalised as something that should have been obvious. Topics Cybersecurity and Privacy Risk Management and Regulatory Compliance Cyber Risk Quantification (CRQ) and, in particular, the Factor Analysis of Information Risk (FAIR) approach, was built as a decision-making framework and can help address the problem of analysing even rare or unexpected cyber risk events. Using CRQ helps understand and analyse these events by allowing analysts to compare risks more effectively. For additional information on how to leverage FAIR, take a look at some of our earlier Protiviti blogs and whitepapers for examples.Hunting for the “Black Swan”According to the Cyentia Institute’s recent IRIS 2022 whitepaper, while the median, inflation-adjusted dollar loss associated with breaches is not significantly changing, the losses associated with the more extreme events have been trending upward over the last several years. It may be that increasing interconnectedness of organisations and criticality of technology to operations has expanded the upper range of loss potential, which in turn increases the potential for “black swan” events.Recent or potential “Black Swan” eventsThe COVID-19 pandemic – While pandemics are a consistent part of human history, the convergence of this virus with rapid technological advances in remote work capabilities, societal attitudes and the continued fallout for markets and the supply chain could certainly qualify.Cyber attacks on critical infrastructure – While often conceived of and discussed, we may not yet be able to contemplate the truly system-wide and outsize impact of a cyber attack of this scale. Consider an attack on a major cloud provider that takes down or fundamentally alters the ability of banks or healthcare organisations to continue operations due to systemic reliance on major providers.Post-quantum risk – While we know what is likely to occur (thus somewhat disqualifying it as a true “black swan”), at a geopolitical, industry and firm level there is significant uncertainty related to the potential major impacts.Not all swans are blackWhile the term “black swan” is used often, a risk management practitioner should differentiate between the truly unexpected, and those events that are rare but conceivable (“gray swans”) but must consider both. Image The below are cyber risks that get a lot of attention (rightfully so) but would more likely be considered “gray swans.”Most individual zero-day vulnerabilities, like the 2021 vulnerabilities affecting Log4j. Zero-day vulnerabilities are identified frequently and their impacts, while significant, generally have similar impacts and mitigations.The ongoing expansion of ransomware threats and ransomware-as-a-service. Ransomware has been around for many years, and the possible impacts were clear. This may be an “elephant in the room” – but not a “black swan.”organisations must deal with a flood of new risks, some of which could be considered potential “black swan” events, all the time. organisations often rely on their risk assessment process to intake and evaluate these scenarios, which could occur on an annual or quarterly basis or even more frequently depending on the organisation’s culture. When focusing on potentially catastrophic or extreme events, a routine risk analysis process can be adapted as follows:Understand critical assetsThe first step of any risk analysis is to understand assets of business value and the most probable threats to those assets. When considering business resiliency, organisations need to think bigger than single systems or servers. organisations need to consider business processes as potential assets as well, such as the “Order to Cash” cycle or transaction processing capability of a wire transfer system. It is possible to leverage existing ERM, audit or asset management tools to identify assets of business value critical to the organisation’s strategic objectives.Focus on probable threatsAfter identifying key assets, we can complete FAIR-based analysis of potential loss scenarios to these assets and visualise scenarios that have a potentially significant average annualised loss. We can see immediate payoff by strengthening controls that mitigate these risks or adopting other risk responses. When focusing on most likely risks only though, there could be more impactful risks we are ignoring. Image Figure 1 – Viewing “average” loss Don’t forget the possibleOften in risk management, we come across the question of how to present low frequency, high impact events, like #4 in the above table with a maximum loss of $750M in a single year. If a $750M loss could result in this organisation going out of business or have wide-reaching organisation impacts, the fact that only a single control is in place to mitigate that risk should be understood. Using a quantified risk register, we can identify these risks as “fragile” – where risk is low only because a single preventive control is mitigating a large potential loss event (see the shattered glass icon). Senior leaders can then make an informed decision as to their comfort with this type of low likelihood, high impact loss event and what additional actions should be taken to address. If our risk register can’t easily identify high potential risks without adequate controls (see view in Figure 2 for a resiliency focus), we are missing half the picture. Image Figure 2 – Visualising resiliency risksLimit lossesWe’ve all seen some great 2,000-line spreadsheets of different risk issues, but how can we get meaningful results by analysing every issue of which the organisation is aware? A data-driven approach showing what is likely to happen to our critical assets can also help inform us on the worst-case outcomes that could impact critical assets. When we can see individual scoped loss event scenarios, we can start to model alternative scenarios, but how can we bring controls into the model better and make meaningful comparisons between risk treatment options? How FAIR-CAM works What had been previously missing from FAIR analysis was a structured way to relate controls (and their effectiveness) to the FAIR model, and ultimately automate the process. In 2021, the FAIR Control Analytics Model (FAIR-CAM) was released, which introduced a method for relating controls and control effectiveness to individual FAIR loss scenarios. This model further allows us to visualise where single controls or only ineffective controls are in place, which can be easily updated with cyber assessment results to continue surfacing potential resilience risks. The model allows us to first link controls to each other and utilise them as inputs to estimations of FAIR scenario inputs (such as threat event frequency or vulnerability). See Figure 3 below for an example mapping. Image Figure 3 – FAIR-CAM and linkages to threat scenarios and the NIST Cybersecurity Framework (NIST CSF) How we treat riskWith this model, we can quickly and regularly analyse many scenarios and evaluate risk treatment options. If the goal is to reduce day-to-day risk exposure, we can focus mitigation on high average ALE scenarios. When focused on resiliency, we can focus on 90th+ percentile ALE or even maximum ALE (our black and gray “swans”).Visualising this in Figure 4 below, an organisation may initially focus efforts on addressing risk #1 with a high average ALE of $750K. Compare that to risk #2, which has an average ALE of $70K because it happens so infrequently, but ultimately has a maximum firm-ending loss potential of $750M (10x that of risk #1) and is identified as “fragile.” From a resiliency perspective, we should focus on reducing this maximum loss when given these two alternatives, which we can visualise better using risk quantification. Image Figure 4 – Comparing risk treatment optionsUnderstanding catastrophic risk When evaluating these risks, organisations need to invest in quantitative risk analysis to truly understand which of their risks are most catastrophic. While this is the goal of many cyber resiliency programs, many use highly qualitative estimates or simplistic tools to describe this risk.organisations are being asked to more clearly “show their work” by regulators, and a proven, transparent and open-source framework like FAIR and FAIR-CAM can help. organisations need to proactively identify areas where control gaps or deficiencies are increasing the organisation’s susceptibility to catastrophic losses, which can also be used as an input into their ERM capabilities to better manage risk overall using NIST IR 8286 guidance. organisations must anticipate and quickly learn from threat events to improve in the face of potential resiliency threats.Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.To learn more about our cybersecurity consulting solutions, contact us. Find out more about our solutions Cybersecurity Cybersecurity is a top priority for boards and ERM functions seeking proper visibility and understanding of their cyber threat landscape. We help firms protect data by assessing, developing, implementing and managing end-to-end agile solutions to help you safely grow your business. Cyber risk quantification By leveraging quantitative modelling, we empower you to fully understand the risks you are facing in ways that make sense for your business. Cyber defense and cyber resilience Protiviti helps you prepare for, respond to, and recover from security incidents. When incidents happen, a trusted partner like Protiviti guides you through the process to help avoid costly pitfalls and recover as quickly as possible. Leadership Sam Bassett Sam is the country leader for Singapore. With over 25 years' experience, he's primarily worked in financial services with consulting firms or directly in the banking industry to deliver change and support strategic, tactical, and operation goals across Asia, Europe and ... Learn More Featured insights BLOGS Tackling gender bias: Women in cybersecurity Cybersecurity is distinguished not only by a talent shortage but also by having a predominantly male workforce. Women are in the minority on most cybersecurity teams that have women at all, so when they experience gender bias, they’re likely to be... BLOGS Quantitative Cyber Risk Management 101: Baselining and Baseline Cycling Cyber risk is a growing threat to organisations of all shapes and sizes. Cyber risk quantification allows organisations to better understand the financial impact that these risks pose; however, setting the scope of quantification activities and... VIDEO Cyber Risk Quantification FAQs Cyber risk quantification (CRQ) uses industry leading and highly vetted probabilistic models to more accurately describe the cyber security and technology-based risks facing an organisation. Tune in to Protiviti's subject matter experts answer 15... BLOGS Metrics’ role in cyber transformation We’ve all heard the saying, “what gets measured gets done,” meaning that regular measurement and reporting helps to keep organisations focused on the information that matters. But with so many data points available to measure security, it is... BLOGS Why Consolidated Security Will Help Meet Cyber Challenges Companies face multiple threats as the security landscape continues to evolve. But how can they get to grips with the cyber risks they face and a record number of data breaches? Taken together, all areas of risk and security are essential in modern... Button Button