Cyber-Risk Quantification (CRQ): Lessons Learned

July 18, 2022

  1. Security and risk management leaders have successfully implemented CRQ as early adopters and share lessons learned
  2. Business-aligned use cases and quantification along with high-quality data input are key to success, as are benchmarking risk management effectiveness against the cost of security investment

 


 

One of the most talked-about topics among security and risk management professionals lately has been an in-depth approach to predicting risk related to cybersecurity. Cyber Risk Quantification (CRQ) arrived in 2006 but started to gain significant traction after the SEC published proposed cyber risk management requirements for public companies in March 2022. As responsibility for effective risk management on the part of board members increases, the ability to successfully quantify and manage corporate risk will soon move from a best practice to a requirement across many industries. While CRQ is not a new tool, many companies are barely scratching the surface when it comes to implementing a holistic risk management program such as CRQ, which uses an objective approach to quantify cyber risk related to business processes. This differs from the traditional and most common approach, which is almost always subjective and based on the limited knowledge of the assessor or stakeholders involved in the risk assessment.

 

According to Gartner®Predicts 2022, “by 2025, 50% of cybersecurity executives will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making.”

 

Developed by The Open Group, the FAIR (Factor Analysis of Information Risk) Model for Cyber Risk Quantification provides “enterprises the visibility required to assess and manage their cyber risk by calculating risk in clear terms understandable by the business. In other words, organizations can understand how cyber risk specifically affects revenue, profit, and other financial measures.” FAIR partners with several tool providers to provide hands-on training for individuals and organizations to learn how to implement CRQ in the most efficient and effective way possible for their unique situation. The FAIR model integrates with existing cybersecurity frameworks such as NIST, ISO and OCTAVE and quantifies risk by determining the probable magnitude and frequency of financial loss in any given scenario. The combination of these factors allows each risk to be assigned a dollar value. To translate this information into a visual that can be easily understood, a Monte Carlo simulation is used to show the financial impacts of each risk over a given period of time. This risk can then be used to justify cyber mitigation strategies based on business asset priority and expected loss exposure.

 

Image
crq_july_img1.png

 

Since 2019, companies in all industries and of all sizes have become early adopters and implemented, in part or in full, an effort to use CRQ for varying purposes. The initial implementation efforts have spanned manual and first-generation tool-based approaches, and while the manual approach reportedly suffers from disappointing results, many first-generation tools are overpromised and under-delivered. Surveys from several leading security research and training firms have shown the effectiveness and pitfalls of implementing CRQ in hopes of increasing the success of the model as a new tool in the security and risk management (SRM) toolbox.

 

The April 2022 SANS/Kovrr survey of 98 security professionals ranging from small to large businesses showed primary uses of CRQ including 72.4% for cyber budget allocation, 70% for board reporting and governance, 67% for cyber insurance and risk transfer options, 27% for M&A cyber due diligence, and 17% for capital reserve and management strategy. The same survey noted respondents intend to use CRQ to increase routine risk assessments from an annual cycle to a more frequent approach, and 80% of surveyed organizations felt that they would use CRQ outputs to increase their investment in security spending over the next 18 months.

 

Image
crq_july_img2.png

 

Gartner conducted the 2021 Cyber Risk Quantification Survey which focused on the view of 51 security and risk management leaders who have already adopted CRQ. The results from this survey show how SRM leaders primarily leverage CRQ to communicate risk. vs. proving risk as shown in the previous survey.

 

Image
crq_july_img3.png

Source: http://solutions.ait.ac.th/ (2020)

In these two surveys, professionals noted shortcomings including the learning that success relies heavily on the data inputs. Similar survey findings show that CRQ as a process suffers from the same issues seen in the rest of the data processes.

 

This is a classic example of garbage in, garbage out.

 

Conversely, the leading insights from the SANS/Kovrr survey were that the newness of this model along with low effectiveness in lowering the cost of security in the initial efforts were key reasons CRQ was not living up to its full potential.

 

ThreatConnect, which partners with The FAIR Institute, provided feedback from a CRQ webinar survey of 300 cybersecurity professionals showing a breakdown of their biggest pain points with the process. These included a lengthy process cycle, too much manual work and similar business alignment issues. One surprising result was a disbelief in the data output, which may point back to the issue of quality data inputs.

 

 

Image
crq_july_img4.png

ThreatConnect CRQ Challenges Survey

 

 

Best Practices for Implementation

 

FAIR and Up Guard published a simplified list of CRQ best practices, including:

 

  1. Develop internal and third-party risk profiles
    1. These summarize threats impacting internal and external environments. Shared vendor profiles are an excellent start to this effort.

  2. Establish an objective taxonomy
    1. Streamline internal communications on risks and align every member of the organization with an objective list of cybersecurity definitions within the context of cyber risk quantification. This will create visibility into any confusion such as referring to both malware and a ransomware gang as a cyber threat (only malware is a cyber threat because its financial impact can be calculated).

  3. Assign a criticality rating to each asset
    1. Doing this first will reduce the amount of data processing required for good data inputs.

  4. Document all efforts
    1. Summarize cyber risk calculations to support business decisions and scalability of cybersecurity programs.

  5. Narrow the focus
    1. Keep the focus on the cyber threats that pose the highest damage potential. Utilize a suite of risk analysis techniques together such as CRQ, Vendor Tiering and security ratings.

 

 

Utilizing Lessons Learned

 

A recap of survey results indicates a new practitioner should:

 

  1. Utilize existing data about business assets
    1. Such as from a Business Impact Analysis (BIA) or other asset registers.
    2. Remember: garbage in, garbage out.

  2. Avoid spending time on a manual approach

  3. Ensure business priorities are aligned with quantification efforts
    1. Increase the likelihood of raising appropriate visibility to the most important assets with the most damaging exposure potential.

 

 

Expert Guidance

 

As a follow-on to lessons learned, The FAIR Institute provides expert guidance to avoid 5 “CRQ” methods that are not supportive of cost-effective risk management, including:

 

  1. Simple, numerically expressed ordinal risk measurement - (think 5x5 scales for probability and impact to determine a risk score of 10) – the issue here is these are subjective judgments.

  2. Controls-focused assessments – also known as risk maturity assessments like NIST CSF, ISO 2700X, COBIT – measure whether controls are in place and functioning, but don’t assess risk and can’t provide guidance to prioritize one deficiency over another.

  3. Vulnerability Assessments such as CVSS scores – CVSS does not measure risk.

  4. Credit-like scoring – systems that collect data from scanning technologies to create a score. These don’t measure the amount of risk that exists.

  5. Threat Analysis – models such as DREAD18 and STRIDE19 focus on the threat landscape and leave out critical risk factors such as human errors, among others.

 

 

Takeaways:

 

Gartner recommends the following:

 

  1. Ensure cyber risk quantification is outcome-driven.
    1. Clarify the specific business decision you want to influence and make quantification outputs directly actionable for decision makers. In other words, “focus your firepower” on quantification decision makers ask for instead of producing self-directed analyses you then have to persuade the business to care about.

  2. Consider mapping to business assets rather than scenario-based CRQ to utilize existing enterprise data.
    1. Modeling asset value and exposure to business disruption will allow you to use objective data from existing business impact analysis (BIAs) and monitoring capabilities.

  3. Be careful with vendor assurances.
    1. Effective CRQ requires deep understanding of your data, technology architecture and enterprise priorities, which vendors don’t have and which their solutions cannot provide without extensive tuning.

 

The key takeaway, for us, from both surveys is that a careful and steady approach to CRQ will maximize the opportunity for success. Taking the time to cultivate and utilize existing, high-quality data, along with crafting a business-aligned risk quantification plan, will maximize your chances of success.

 

 

For further reading:

 

FAIR Model: https://www.fairinstitute.org/what-is-fair

 

Oliver Wyman Scenario Mapping: While Gartner does not recommend scenario-based mapping, it is worth understanding all the approaches, and scenario-based may be appropriate for some industries and applications. https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2019/aug/navigating-cyber-risk-quantification.pdf

 

Kovrr Technical Explanation of CRQ: https://www.kovrr.com/blog-post/what-is-cyber-risk-quantification-crq

 

 

Sources

 

Business Wire, 2022: https://www.businesswire.com/news/home/20220407005393/en/75-Of-Security-Pros-Use-or-Will-Implement-Cyber-Risk-Quantification-Within-18-Months-According-to-Kovrr-and-SANS-Institute

FAIR, 2021: https://www.fairinstitute.org/blog/watch-out-for-these-5-cyber-risk-quantification-methods.-they-dont-support-cost-effective-risk-management-1

FAIR, 2022: https://www.fairinstitute.org/what-is-fair

FAIR(SEC), 2022: https://www.fairinstitute.org/blog/harvard-law-sec-proposed-rules-game-changer-for-cyber-risk-reporting

Gartner, 2022: https://www.gartner.com/doc/reprints?id=1-29FBE5ZT&ct=220317&st=sb

Harvard, 2022: https://corpgov.law.harvard.edu/2022/04/11/proposed-sec-cyber-rules-a-game-changer-for-public-companies/

Kovrr, 2021: https://www.kovrr.com/blog-post/what-is-cyber-risk-quantification-crq

Oliver Wyman, 2022: https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2019/aug/navigating-cyber-risk-quantification.pdf

Reciprocity, 2021: https://reciprocity.com/blog/top-vendor-tiering-strategies-to-mitigate-cybersecurity-risks/

ThreatConnect, 2021: https://threatconnect.com/blog/the-cyber-risk-quantification-journey-its-not-as-hard-as-some-think/

Upguard, 2022: https://www.upguard.com/blog/what-is-cyber-risk-quantification#:~:text=Cyber%20Risk%20Quantification%20(CRQ)%20is,and%20vulnerabilities%20to%20address%20first.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Cassandra Mack
RISK MANAGER | OPTIV
Ms. Mack is a Risk Manager in Optiv’s Risk Management practice and is responsible for development and delivery of Strategic Business and Technology Assessment and Risk Reduction Strategy services to Optiv clients. Having deep expertise in all areas of GRC, IT and InfoSec across 17 industry groups, she is committed to extending her knowledge to empower businesses of all sizes to remain resilient in the face of environmental challenges.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.