By Teresa Suarez
There seems to be a chasm between cyber risk and other business risks when it comes to decisions and expectations.
Business executives are entrusted with effectively managing a business and safeguarding its solvency. In order to manage effectively, decisions need to be well-informed. Business risk-related decisions tend to take into consideration the forecast for financial gain over some timeframe. It’s expected that a cost-benefit analysis be conducted to ensure resources are being optimized. In short, business risk decisions are made based on the outputs of financial models.
In contrast, cyber risk often remains an elusive and esoteric risk that conventional wisdom has said can only be captured with qualitative ratings, such as High/Medium/Low or Red/Orange/Yellow/Green etc.. Choosing between investing in Control A, which will reduce your High risk to Medium, or Control B that could also reduce your High Risk to Medium… is a hard decision because it’s not clear which Medium will be Medium-er risk-wise, since they both result in “Medium.” It is not optimal decision-making material. Even worse, it’s subpar because it fails to provide meaningful metrics (i.e. quantitative figures).
Cyber risk does not have to be an elusive enigma. The FAIR model can be used as a means of conducting financial modeling for cyber, technology, and operational risk. To illustrate this, I’m going to take an excerpt from the Investopedia’s Financial Modeling definition and correlate it to FAIR. Investopedia breaks Financial Modeling down like this:
“A financial model tries to capture all the variables in a particular event. It then quantifies the variables and creates formulas around these variables. In the end, the model provides the analyst with a mathematical depiction of particular business event.”
Let’s see how FAIR compares and complements.
Capturing all the variables in a particular event
The FAIR model breaks down complex problems (e.g. cyber, technology, or operational) into manageable parts. In other words, the FAIR model operates the same way that financial and economic models work: it offers a simplified representation of a complex reality. The complexity that FAIR simplifies is the potential loss exposure of a given loss event.
The FAIR model is an ontology that considers the factors (variables) that compose risk as well as their relationships. FAIR views risk as a derived value. So, similar to speed (a value derived by the formula speed = distance/time) risk is a value derived by the following formula risk = probable frequency x probable magnitude of future loss. The model further delineates to show the factors that compose loss frequency and loss magnitude.
The model provides the analyst with a mathematical depiction of particular business event
The objective of each FAIR analysis is to answer the question, “How much risk is associated with xyz loss event?” The FAIR model, when coupled with the RiskLens platform, utilizes Monte Carlo simulations and runs analysis data through an array of scenarios. The outputs of the analysis result in a distribution of possible outcomes (i.e. it provides a mathematical depiction of a particular loss event); there are also several other reporting metrics, including tables itemizing the frequency and magnitude of the given loss event.
Closing the Chasm
Cyber risk is a business risk. Don’t settle for subpar decision-making material. Double down on what works, and ditch what doesn’t. Try leveraging the FAIR model as a means of analyzing cyber risks and enabling the effective prioritization of resources.