With over twenty-five years of experience in cybersecurity, Dustin Owens, who spent some time as LogicGate’s Principal GRC Architect, has seen significant changes and developments in the GRC space. Recently Dustin shared his insight on the benefits of risk quantification during an episode of LogicGate’s podcast, GRC & Me.
Dustin shared, “I got introduced to risk quantification for the first time as part of the NSA’s InfoSec assessment methodology. They had a process that was actually based off of the OCTAVE framework, which is basically the same framework that the FAIR methodology uses today.”
Here is a quick explanation of what all those terms mean:
Cyber Risk and Controls Compliance can be defined as the procedures or measures used to protect electronic data from unauthorized access or use. This is a key duty of the United States National Security Agency (NSA), who have developed their InfoSec Assessment Methodology (IAM) as a means of assessing how well organizations protect their data.
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation and is a framework used to identify and manage information security risks. It was originally developed in 2001 at Carnegie Mellon University for the United States Department of Defense. Two versions of OCTAVE exist: OCTAVE-S is a simplified methodology for smaller organizations, while OCTAVE Allegro is more suitable for larger organizations with multilevel structures.
FAIR stands for Factor Analysis of Information Risk and is the only international standard quantitative model for information security and operational risk. It was developed by the FAIR Institute, a non-profit professional organization, as a framework to quantify Value at Risk (VaR) for cybersecurity and operational risk.
According to Dustin, “Risk quantification is really about expressing risk findings in the form of monetary impact.”
In other words, a financial value is calculated for the potential impact of the risk. However, as risk consists of two components, likelihood and impact, we cannot simply say that the risk is the total value of the impact. Instead, a calculation regarding the combination of likelihood and impact is required.
Similarly, there is uncertainty about exactly how much the impact could cost, so again calculations are required to determine the value of the impact. Combining the likelihood of occurrence and the uncertainty of the impact results in a quantified assessment of the risk, expressed in monetary terms.
While qualitative risk assessment utilizes terms such as high, medium, and low, or is designated through color schemes such as red, amber, and green, quantitative risk assessment simply uses dollars and cents.
Dustin explains this further, “Being able to show risk findings on a consistent basis is something that every part of the organization can provide in a consistent manner. You can understand what those results are telling you in a very straightforward manner. This amount of dollar impact is something very easy for business leaders to understand.”
Talking about risk in terms of impacts on the bottom line or returns on investment suddenly transforms the risk assessment from a colored chart at the end of a report into a tangible value that can influence decision-makers.
Business leaders can categorize risks according to the financial impact of those risks, Dustin says, “How they respond to risk can actually help them prioritize what activities they need to pay attention to. Quite simply put, what this means is they can pay attention to what are the highest dollar impacts that we need to worry about and how much investment do we need to put into solving these particular risks?”
This becomes particularly important when working with constrained resources or limited budgets. Understanding how much a risk mitigation action will cost compared to the benefit derived from either taking or not taking action can influence the priority of the action.
Finding a Common Language
A major benefit of using quantitative language is that it reduces confusion and lessens the amount of interpretation required when using qualitative language such as high, medium, and low. While a seemingly trivial detail, this can significantly change an organization’s approach to risk management.
Additionally, it means that a single tool can be used for all of the risks throughout an organization, according to Dustin, “If everybody is working from a consistent basis and working in dollars and cents for assessing their different categories of risk, then whether it’s IT risk, legal risk, HR risk, you name it. If they're using consistent formulas to calculate risk and show what the risk findings are saying, it makes it so much easier to combine into an integrated risk view.”
This common language will lead organizations to move towards more integrated risk management approaches, reducing the existing barriers between functions that currently have very different notions of the meaning of risk.
Once everyone is using the same language, Dustin believes a virtuous circle will be created where decision-makers will seek out quantitative risk data, and in so doing, start to make more informed decisions with better results, leading to more demand for risk information.
Using Data to Inform Decisions
Real-world knowledge helps businesses make more well-informed decisions, according to Dustin, “I think what we will see is a lot more risk-based decision-making can then start to happen. Organizations are going to find it easier to understand what the information is telling them. It's going to make immediate sense.”
Having appreciated how quantitative risk data could help with decisions in areas that traditionally think about risk, Dustin says other areas of an organization will also want to adopt quantitative risk assessment.
But quantitative risk assessment isn’t common among a lot of businesses, Dustin says, “Most organizations are not taking a risk-based approach to topics like [software] vulnerability management. By quantifying risk and providing financial terminology and financial results, it makes it much more appealing to start classifying which vulnerability patches to apply and in which order.”
Software patch requirements are not the only means to determine the risk of vulnerability on a network.
According to Dustin, it’s important to ask questions to help determine vulnerability, “How do we understand how much money to spend on vulnerability scanning versus penetration testing versus code reviews and things of that nature?”
Quantified assessments can directly compare the financial costs associated with each one, giving decision-makers a much easier to understand set of alternatives.
Being able to cut through the noise by using real-world feedback is a critical factor for effective decision making, Dustin says, “I think greater agility, the ability to move faster, and be more adaptable are some of the clear benefits that will come out of it.”