filmov
tv
Quantifying cyber security risk with IziRisk
Показать описание
The FAIR standard for analyzing cybersecurity risk, Factor Analysis of Information Risk, has become the leading value-at-risk model for cybersecurity and operational risk. The FAIR Institute is a professional, not-for-profit organization dedicated to advancing the discipline of measuring and managing cyber and operational risk.
This methodology provides information risk, cybersecurity, and business managers and analysts with standards and best practices to help organizations measure, manage, and report information risk from a financial perspective.
Using the same risk quantification theoretical framework, FAIR divides risk analysis into its components: Frequency and magnitude of the loss event. In turn, the frequency part, the number of times a risk event can occur per unit of time, is divided into two components: the frequency of the threat and its vulnerability.
On the other hand, the magnitude or impact of the loss is divided into primary and secondary factors.
A simple example. An internal auditor reports a high risk: laptop theft. She considers it high because she has located it in a risk matrix as possible probability and very high impact. This categorization, however, is very ambiguous and subjective, and is of no use in determining the magnitude of this risk or to how much or how it could and should be mitigated.
To mitigate this risk, a policy could be purchased to insure laptops against theft. It costs $80,000 annually and has a deductible of up to $30,000 for all annual events.
The CFO wants to know whether or not this insurance is worth the investment. This, by the way, is impossible to analyze with the dot placed in a red box on the risk map.
Historical data shows that there is, on average, one laptop theft per year. The primary replacement cost of a laptop is between $1,000 to $3,000. Also, it is considered a 50% probability that access to data will be lost, whose replacement value would be between 0 and $100 thousand.
As for secondary drivers of loss, depending on the nature of the stolen data, there is a 10% chance that there will be an investigation by a regulatory body that eventually leads to a fine. This could be between $50,000 and $500,000.
In addition, a 5% probability of generating a class action has been evaluated. If so, a 10% probability of losing the lawsuit is estimated, which could cost between $100,000 and up to $2 million for the loss of information.
Using Easy Risk Quantum, which is an application that sits on Excel to perform Monte Carlo simulations, it is possible to resolve this issue and inform the CFO whether or not it is worth purchasing a policy to mitigate this risk.
First, probability distributions are defined to count the possible events, that is, the frequencies of robberies and their possible secondary events. Also, the distributions for primary and secondary losses are defined.
Then, the 2 inherent risk scenarios are defined, without the insurance policy, and residual risk, to assess the impacts considering the cost and coverage provided by the policy.
The Monte Carlo simulation will generate, based on random numbers, thousands of scenarios for all model variables. For example, after 10 thousand scenarios, it is possible to assess the probability curves of the alternatives.
If it were not decided to take the policy, the average losses would be $32,000. These could be as low as $1,000 but could be over $4 million.
If it were decided to mitigate the risk, the average cost rises to $89,000, but the tail of losses is dramatically limited to a maximum established by the sum of the annual cost of the policy for $80,000 and its deductible of up to $30,000, limiting by therefore, the cost to a maximum of $110 thousand per year, instead of more than $4 million.
Thus, it can be decided depending on the company's risk tolerance, if it prefers to live with an expected loss of less than $32 thousand but with the probability of losing up to $4 million or more; Or, if you prefer to pay for insurance that, on average, will mean losses of $89 thousand but that will never be more than $110 thousand.
With a quantitative cybersecurity risk analysis methodology with Easy Risk, it is possible to eliminate the ambiguity and subjectivity of the chromatic assessments of a risk matrix, monetarily quantify the impact of risks and their mitigation strategies, prioritize the factors that contribute the most to losses due to risks, and insert organizations into cultures that allow their event information to be systematized and quantified.
This methodology provides information risk, cybersecurity, and business managers and analysts with standards and best practices to help organizations measure, manage, and report information risk from a financial perspective.
Using the same risk quantification theoretical framework, FAIR divides risk analysis into its components: Frequency and magnitude of the loss event. In turn, the frequency part, the number of times a risk event can occur per unit of time, is divided into two components: the frequency of the threat and its vulnerability.
On the other hand, the magnitude or impact of the loss is divided into primary and secondary factors.
A simple example. An internal auditor reports a high risk: laptop theft. She considers it high because she has located it in a risk matrix as possible probability and very high impact. This categorization, however, is very ambiguous and subjective, and is of no use in determining the magnitude of this risk or to how much or how it could and should be mitigated.
To mitigate this risk, a policy could be purchased to insure laptops against theft. It costs $80,000 annually and has a deductible of up to $30,000 for all annual events.
The CFO wants to know whether or not this insurance is worth the investment. This, by the way, is impossible to analyze with the dot placed in a red box on the risk map.
Historical data shows that there is, on average, one laptop theft per year. The primary replacement cost of a laptop is between $1,000 to $3,000. Also, it is considered a 50% probability that access to data will be lost, whose replacement value would be between 0 and $100 thousand.
As for secondary drivers of loss, depending on the nature of the stolen data, there is a 10% chance that there will be an investigation by a regulatory body that eventually leads to a fine. This could be between $50,000 and $500,000.
In addition, a 5% probability of generating a class action has been evaluated. If so, a 10% probability of losing the lawsuit is estimated, which could cost between $100,000 and up to $2 million for the loss of information.
Using Easy Risk Quantum, which is an application that sits on Excel to perform Monte Carlo simulations, it is possible to resolve this issue and inform the CFO whether or not it is worth purchasing a policy to mitigate this risk.
First, probability distributions are defined to count the possible events, that is, the frequencies of robberies and their possible secondary events. Also, the distributions for primary and secondary losses are defined.
Then, the 2 inherent risk scenarios are defined, without the insurance policy, and residual risk, to assess the impacts considering the cost and coverage provided by the policy.
The Monte Carlo simulation will generate, based on random numbers, thousands of scenarios for all model variables. For example, after 10 thousand scenarios, it is possible to assess the probability curves of the alternatives.
If it were not decided to take the policy, the average losses would be $32,000. These could be as low as $1,000 but could be over $4 million.
If it were decided to mitigate the risk, the average cost rises to $89,000, but the tail of losses is dramatically limited to a maximum established by the sum of the annual cost of the policy for $80,000 and its deductible of up to $30,000, limiting by therefore, the cost to a maximum of $110 thousand per year, instead of more than $4 million.
Thus, it can be decided depending on the company's risk tolerance, if it prefers to live with an expected loss of less than $32 thousand but with the probability of losing up to $4 million or more; Or, if you prefer to pay for insurance that, on average, will mean losses of $89 thousand but that will never be more than $110 thousand.
With a quantitative cybersecurity risk analysis methodology with Easy Risk, it is possible to eliminate the ambiguity and subjectivity of the chromatic assessments of a risk matrix, monetarily quantify the impact of risks and their mitigation strategies, prioritize the factors that contribute the most to losses due to risks, and insert organizations into cultures that allow their event information to be systematized and quantified.
0:04:33
0:02:50
0:02:11
1:09:40
0:56:54
0:33:19
0:13:06
0:01:32
0:20:30
0:28:48
0:00:37
0:00:55
0:15:52
0:49:18
0:00:31
0:05:56
0:03:56
0:01:36
0:53:00
0:02:17
0:04:26
0:06:33
0:03:21
0:06:20