Performing a cyber risk assessment can sound deceptively simple. You typically aim to achieve the following – identify the bad things that can go wrong, identify the outcome to the business if these bad things happen, and estimate how likely it is for the bad things to happen. Knowing what can go wrong and how likely it is lets you make an informed decision about what to do, and which bad things to deal with first.
Cyber Risk Quantification can be seen as a new buzzword in cyber security and is sometimes met with cynicism. However, it is not intended to be a silver bullet able to solve all risk assessment problems!
In this blog post I’m going to discuss both the advantages of CRQ, but also the limitations. There are some risk assessment use cases where a qualitative approach is likely still adequate (or at least not the first place to start trying CRQ); I'll walk through some examples. It also gives suggestions as to where CRQ can be introduced by a company alongside an existing qualitative risk assessment framework, without disrupting the overall framework.
Key Messages:
- Cyber Risk Quantification can deliver significant benefits over traditional qualitative risk assessment approaches; however some risk assessment use cases are a better fit for CRQ than others.
- Qualitative and quantitative cyber risk assessment methods both have advantages and disadvantages. Broadly, qualitative approaches are simpler, but are difficult to use for strategic decision making, while quantitative approaches give results best suited to top management and board-level discussions at the cost of more time for analysis.
- This blog post details the risk assessment use cases where quantitative methods give significant advantages, but also recognises the use cases where a qualitative approach can remain adequate.
- It can be used by cyber security professionals wanting to explore where CRQ can be introduced by a company alongside an existing qualitative risk assessment framework, without disrupting the overall framework.
Risk Assessments in the Past: simple to use, but with limited value
The starting point for cyber risk assessment is usually a “Qualitative” cyber risk assessment approach. This approach classifies risks with relative levels for the impact an likelihood, for example High Medium Low, or Red Amber Green. Assessment of risks using a Qualitative approach is usually based on subject matter judgement of these categories rather than calculations.
Qualitative approaches for cyber risk assessment have been used for many years, as they are simple to set up and explain, cheap to implement (typically in a simple spreadsheet), and provide a view of risks that enables decision makers to identify priorities.
However there are two significant limitations to such a basic Qualitative approach:
- Inconsistent: differing stakeholders may interpret high, medium and low differently, meaning that different people rate the same risk differently.
- Imprecise: it is not always clear what “high” impact or a “red” risk means in business terms
Over time, practitioners have taken steps to address these limitations, while keeping the benefits of Qualitative approaches.
Risk Assessments Today: Consistent Execution, but still Room for Improvement
The basic Qualitative approach can be enhanced by assigning ranges to the different categories. This is sometimes called a “semi-quantitative” approach. For example, you could say that a low impact corresponds to less than $100k, medium to less than $1m and high impact to more than $1m. Risk assessors can then make consistent estimates by referencing these impact levels. Similar references can be defined for the likelihood of occurrence (e.g. low likelihood corresponds to an event that happens less than once a year, medium to one time per year, high to multiple times per year).
These reference tables also make it easier for risk assessors to be more objective in their risk assessments – evidence can be provided to show that an incident may cost a certain amount, or the frequency of incidents can be estimated from historic data. This isn’t foolproof though; there might be scant data to base the analysis on. While these semi-quantitative approaches are a big step forward to consistent and data backed risk assessments, there are however still weaknesses:
- Ranges hide specifics: comparing two risks in the same category can be difficult. From our example above, the impact of one high impact risk could be $1.5m, and a second could be $500m, but they are both rated the same.
- Challenging for strategic decision making: while risks can be compared and prioritized, it is difficult to strategically steer investment into mitigation and risk monitoring. Defining risk tolerance in terms of “number of red risks” or similar offers limited guidance for a board to oversee (how many red risks should we tolerate?!), and for a CISO to make a case for investment. At the strategic level reporting risks in financial terms is critical.
The Future of Cyber Risk Assessments: Quantitative Approaches (Where it makes sense)
In contrast to Qualitative approaches, a Quantitative cyber risk assessment provides the financial values of risk impacts and statistical probabilities, using objective quantifiable inputs, and statistical calculations.
Quantitative assessments can provide significant benefits:
- Business language: the financial detail helps translate technical cyber risks into business friendly language making it easier to compare cyber with other risk categories;
- Risk management at the strategic level: financial outputs enable top management and boards to better understand the company’s risk exposure and put investment decisions into a risk management context.
Quantitative risk assessment approaches are not without their challenges however. They can be seen as time consuming, requiring additional expertise in mathematics, and the data used for input and outputs can be both challenging to obtain and met with scepticism once obtained. Understanding the advantages and disadvantages of Qualitative and Quantitative approaches enables a risk management professional to choose the best approach for the risk assessment use case.
Common Cyber Risk Assessment Use Cases, and When can a Quantitative Approach be best used
Cyber risk assessments can be used for a variety of purposes, and with a variety of audiences. These can range from company-wide assessments looking at the overall risk position, to detailed risk assessments looking at specific changes within an individual system.
The table below gives some examples and consideres how well suited qualitative and quantitative approaches are for each:
How to introduce Quantitative Risk Assessment Approaches, alongside existing Qualitative Frameworks
If you already have a company-wide risk assessment framework it can be difficult to make a case for changing it. The risk assessment framework is likely a core part of the information security management system, and it may be part of regulatory reporting. Introducing a new approach is a big step.
For companies in such a situation that nonetheless want to explore cyber risk quantification we recommend the following:
- Start small and from the top down: choose a business division, or a single company within a corporate group and prepare a division/company-wide quantified assessment. This can show the strengths of CRQ to senior stakeholders, and generate enthusiasm and commitment for wider use. Avoid starting bottom-up with individual systems as this can lead to difficulties in gathering appropriate data for quantification.
- Quantify in parallel to your current approach: the existing risk assessment framework can continue to operate while CRQ is being explored, and indeed afterwards. The outputs from CRQ can be compared to existing risk assessments, and the usefulness and effort assessed.
- Build on initial CRQ with further entities: the data gathered for the initial CRQ will likely be useful for later assessments in other business divisions or companies. If possible have a core team work at a Group/central level so that the skills and expertise can carry forward to later projects.
- Decide how far to go: the table above lists various risk assessment use cases, you can use this to decide which risk assessment processes in your organizations could be suitable for quantifying. There will likely be use cases where you will choose to keep a qualitative approach.
Final Thoughts
Cyber risk assessment can feel complex, but it doesn't have to be! This blog post has explored the two main approaches: qualitative and quantitative. Qualitative assessments are simple, using categories like "high," "medium," and "low". They're great for a quick overview, but can be inconsistent and imprecise. To address those limitations, a semi-quantitative approach adds numerical ranges to these categories. However, they still don't give you the financial figures you need for strategic decisions.
That’s where quantitative risk assessments come in, providing financial values and statistical probabilities. While they require a little more time to conduct, and are dependent on the data used for input, they offer significant benefits like business-friendly language, and strategic-level risk management.
The best approach for you will depend on your specific needs, so consider the audience for your risk assessment and the questions they are trying to answer. You can even introduce a quantitative method alongside your existing framework. This way, you get the best of both worlds!
