I think a critical aspect to quantifying risk in a manner that resonates with a business audience involves linking that risk to potential financial repercussions. I try to articulate this as range based on known similar incidents. Although specific financial losses are frequently undisclosed, upcoming SEC regulations are poised to shed more light on this area. I also consider fines associated with different types of data loss such as PII or PHI, as well as previous security or operational incidents that led to downtime and subsequent financial losses. These could be from breached SLAs, revenue disruption, or the costs required for operational recovery and getting back to business as usual. These can be difficult to calculate depending on the data you have available but if you can tell a good story around how you came up with these figures it can enhance your ability to present risk in terms that the business can relate to.
indeed! we are putting together a framework for “What is ‘Material’” from a SEC perspective-- stay tuned/ let me know if you want to be involved!
Risk is a hard thing to quantify at times. But I think having a good understanding of your security risk can elevate the conversation at the executive level. It can tie security problems to business outcomes, which can ultimately help make a stronger security program and get more budget. How do people quantify risk in your organization?
Agent
N/A
Platform
Using Lacework/Operationalizing
Cloud
N/A
Related but different question: what security metrics does your organization track, and how do they bubble up to executive (and down to operational) layers?
indeed! we are putting together a framework for “What is ‘Material’” from a SEC perspective-- stay tuned/ let me know if you want to be involved!
Im very interested in this as we are currently trying to figure this out as well.
Risk is a hard thing to quantify at times. But I think having a good understanding of your security risk can elevate the conversation at the executive level. It can tie security problems to business outcomes, which can ultimately help make a stronger security program and get more budget. How do people quantify risk in your organization?
Agent
N/A
Platform
Using Lacework/Operationalizing
Cloud
N/A
Related but different question: what security metrics does your organization track, and how do they bubble up to executive (and down to operational) layers?
From a technology risk perspective a good start might be to consider the following couple metrics.
-
Percentage of Total Risks w/o Treatment Plan
-
Bubble up: How many identified risks are currently without a strategic approach for mitigation/management. This can show your current risk exposure as well as the potential need for resourcing/culture change/ etc
-
Trickle Down: Helps teams prioritize which risks need a response plan and/or could indicate issues in the risk assessment and tracking process. Risk owners/managers could prioritize based on where the residual risk lands on the 5x5 Impact x Likelihood matrix.
-
Percentage of Total Unmitigated Risks by Threat Source
-
Bubble up: This can provide an overview of the sources of risks that have yet to be addressed. We could use this to make data-driven decisions on where to invest for better security and subsequent risk mitigation.
-
Trickle Down: Understanding your threat sources can help teams to design more targeted countermeasures, training programs and compensating controls.
-
Percentage of Total Unmitigated Risks by Treatment Option
-
Bubble up: We can provide leadership with trend data around how the company treats risk in general. For example, if you have a lot of unmitigated risks with the “mitigate” treatment option then perhaps you should try to transfer some of that risk to reduce your risk exposure or increase resources to address the lack of mitigation activity.
-
Trickle Down: Teams could use this metric to potentially make decision that avoid risks all together if they are not able to adequately address future risks that could be introduced.
-
Percentage of Total Unmitigated Risks by Risk Score
-
Bubble up: This gives a snapshot of the severity of unmitigated risks. High percentages of critical/high risks might mean that top down support driving mitigations might be in order.
-
Trickle Down: This could be used to help prioritize mitigation efforts.
-
Percentage of Total Unmitigated Risks by Risk Category
-
Bubble up: This can be used to identify which areas of the business have concentrations of unmitigated risks (compliance, operational, reputational risks). Depending on how you categorize risks at your org you could get clever with this.
-
Trickle Down: Identify which cats of risk are being most/least effectively managed and enables teams to switch gears in remediation efforts if necessary.
-
Percentage of Risks that are Emerging/New
-
Bubble up: This could help shine a light on how recent initiatives have impacted your risk exposure. It could also indicate changes in the risk landscape your business operates within
-
Trickle Down: Identifying emerging risks can help teams develop mitigation strategies before risks become more complex or expensive to mitigate.
These probably wont work for everybody but might be something to get a conversation started. I like to stick with percentage based metrics so that arent as easily affected by swings in the number of cataloged risks and lend themselves better to providing trend data.
Nice! I am leading a CISO office hours to discuss this on Sept 20 and anticipate having more drafts to review (and if you are a customer and want to get an invite for your CISO, let me know!)
indeed! we are putting together a framework for “What is ‘Material’” from a SEC perspective-- stay tuned/ let me know if you want to be involved!
The FAIR Institute has created the FAIR-MAM methodology to help understand materiality. A great starting point for discussion/analysis.
How do people quantify risk in your organization?
We don’t often dive to quantified risk in my organization today, but in past lives, I’ve used FAIR successfully to understand the threat scenarios, control gaps, and modeled the possible frequencies and magnitudes of future loss. It’s not a simple 1-5 earguably meaningless] score, but when you put the work in, you’ll both get defensible numbers that can be compared to loss history, experience, and adjusted over time as you get better data or better estimates.