Moving to a quantitative approach for cyber risk assessment can be daunting! It brings with it a perception of complexity, mathematical expertise, and a need for vast amounts of historic data sets. This article is here to dispel those myths and explain how you can get started with cyber risk quantification quickly and simply using the Squalify platform.
The Squalify cyber risk quantification approach addresses these challenges head-on and makes it easier than ever to assess your cyber risks quantitatively.
Myth #1: Do I need to be a math/statistics genius to do CRQ?
Core to many cyber risk quantification methodologies is advanced statistical techniques and mathematical tools such as Monte Carlo Simulation. Adoption can be challenged by needing math, statistics, or data science expertise to setup and maintain the model and ensure it is appropriately configured and calibrated.
How Squalify removes the CRQ math skills challenge
Squalify also uses advanced statistical techniques and Monte Carlo Simulation, however the complexity associated with these is embedded within our software tool and kept updated by our expert team. No math or statistics expertise is required to use the tool.
The outputs from the Squalify model are explained in common board room financial risk language, making cyber comparable to other enterprise risk categories.
Of course, if you are interested to learn more, or if actuaries, data scientists or anyone else want to understand the inner workings of our model, this is well documented and we’d love to geek out and explain it with you.
Myth #2: Do I need lots of data to do CRQ?
There is a perception that without sufficient data a quantification will be inaccurate in assessing either the probability and/or the impact of a cyber risk.
I’ve discussed what data are required for a CRQ in our post about How to Plan a Successful CRQ Project.
In summary you’ll need:
- Financial data - how much revenue does the company make, where does it make its profit, what does it spend on things that will happen after an incident (for example, legal fees, forensics providers, etc.). You can usually find this by speaking with the finance team.
- Business impact scenario data - this is specifying what might happen and what the consequences are for your organization. You can often find this by looking at business continuity plans or similar documents.
- Information security threat data - Companies with sophisticated in-house security or SOC teams may have sufficient data to inform these threat estimates (how often certain attack types are expected); most companies will need to look to publicly or commercially available data sets to help inform this.
- Information security controls data - this covers how well protected the company is. Again this can be modeled for individual assets or in aggregate across the company level.
How Squalify solves the CRQ data challenge
Squalify approaches cyber risk quantification from a top-down angle, which greatly simplifies the input data required. No longer do you need to analyse each individual asset and system and aggregate multiple system level risk assessments into an enterprise level view.
Squalify incorporates historic cyber incident loss data within our service offering, so subscribers do not need to make threat estimates. Our loss data is from Munich Re, our parent company and globally leading cyber insurer/re-insurer.
With Squalify you can get the first quantitative results with little more than the information in your financial reports. Squalify calculates a quick assessment based on information such as the revenue, the number of employees and the industry.
For more detailed results the risk assessment can be further contextualised to the organization by providing more information about your cyber security controls and business continuity planning scenarios. Again, this is from a top-down angle so it is considering the overall maturity across the company, rather than at individual system levels. Typically this information can be made available reasonably quickly assuming that the organizational strengths and weaknesses are understood.
Myth #3: How do I get a company wide risk view with CRQ?
System level risk assessments can be great for looking at technical details and threats, but aggregating multiple risks across multiple systems across multiple business units to give a whole company view is a challenge!
It can be all too easy to double count risks and/or not have comparable results from different systems or business units.
How Squalify solves the risk aggregation challenge
Squalify's top-down cyber risk quantification approach is designed to give a company wide view. Squalify looks at consequences and information security maturity at an organizational level and this avoids having to combine or aggregate individual bottom-up system level risk assessments.
Squalify's approach also enables the risk monitoring and comparison of different entities within a corporate group structure. Our common methodology is applied to each assessment, so the results can be easily compared across different entities using our Subsidiary Steering dashboards.
Myth #4: How long does a CRQ assessment take (to get started)?
Some cyber risk quantification methodologies provide a method, but leave the implementation to the organization itself. This often leads to a network of complicated spreadsheets that must be kept up-to-date, quality assured, explained to stakeholders, and brought together to give a big picture view.
Time can be spent clarifying the scope of what to quantify, buidling relationships within the company, and negotiating and gathering data. Each of these pitfalls is addressed in our post on How to Plan a Successful CRQ Project.
How Squalify helps you quantify cyber risk quickly
The Squalify quantification model is embedded within our Software-as-a-Service (SaaS) cyber risk quantification tool. The Squalify software comes pre-configured to prompt the necessary inputs and automatically generates the output calculations. The method is repeatable, and offers easy means to adjust inputs and simulate new scenarios.
No need to spend time wrangling spreadsheets, configuring other software tools, or building integrations.
We also ensure that the underlying mathematical model and reference data are kept updated, again saving you time!
Initial results can be available within a day, and more detailed results in a matter of days (depending on how quickly company info can be made available). Our standardized delivery approach ensures quantifications are typically delivered in weeks, not months.
Myth #5: Do I need to replace my current risk framework with a quantification approach?
If you already have a company-wide risk assessment framework it can be difficult to make a case for changing it. The risk assessment framework is likely a core part of the information security management system, and it may be part of regulatory reporting. Introducing a new approach is a big step.
There is sometimes a perception that adopting CRQ means that the existing risk framework has to be thrown out.
In fact, quantification can be complementary to existing risk methodologies. I’ve written about this in detail in Qualitative vs Quantitative Cyber Risk Assessment: When is the Best Time to use each Approach?
In summary:
How Squalify's CRQ approach complements your existing risk framework
Quantification methods can be introduced in parallel to existing non-quantitative approaches. For example, a typical adoption of Squalify is to:
- Start small and from the top down: choose a business division, or a single company within a corporate group and prepare a division/company-wide quantified assessment. This can show the strengths of CRQ to senior stakeholders, and generate enthusiasm and commitment for wider use.
- Quantify in parallel to your current approach: the existing risk assessment framework can continue to operate while CRQ is being explored, and indeed afterwards. The outputs from CRQ can be compared to existing risk assessments, and the usefulness and effort assessed.
- Build on initial CRQ with further entities: the data gathered for the initial CRQ will likely be useful for later assessments in other business divisions or companies. If possible have a core team work at a Group/central level so that the skills and expertise can carry forward to later projects.
Is my organization ready for cyber risk quantification?
Cyber risk assessment is not new, and many companies will already have existing risk assessment processes. It may be daunting to consider a new approach. How could the Squalify approach work alongside my existing risk assessment framework? Will I need to retrain lots of people? How will I explain the outputs?
As a top-down cyber risk quantification approach, Squalify is complementary to other methodologies, whether qualitative or quantitative. Squalify is designed for a board room and senior management audience and supports with strategic planning, corporate steering and cyber risk oversight.
Through this mythbusting article, I hope that you have a clearer understanding of how cyber risk quantification with Squalify can be adopted in your organization.
Want to check your readiness for CRQ? Take our free, quick readiness survey now.
