Jeff B. Copeland
The RiskLens platform automates cyber and technology risk analysis and risk assessment based on Factor Analysis of Information Risk (FAIR™), the standard for risk quantification.
What does a FAIR risk assessment example look like? Here’s a quick look at the process and the outcomes.
FAIR analysis breaks down risk into factors that can be quantified (in counts, percentages or dollar figures) to estimate the probable frequency and probable magnitude of loss. From that we can generate a range of probable outcomes in financial terms to understand our loss exposure.
But before we can start filling in the factors with numbers, we need to clarify or “scope” a loss event we want to analyze.
Scoping a Risk Analysis
FAIR Risk Example Scenario:
To scope an analysis, we first define the business decision we are trying to support (say, how to justify or prioritize security budget investments), then identify the relevant asset (a customer information database, an ecommerce application, etc.), then focus on the probable threats (insiders, criminal hackers), the type of loss that concerns us (confidentiality, availability, integrity) and exactly how the loss would take place, summed up in a loss event or risk scenario.
“Analyze the risk associated with a privileged insider intentionally disclosing the information contained in our customer relationship management database.”
(The guided workshop on the RiskLens platform ensures that you start with a well-formed risk scenario.)
Learn more: How to Scope a Risk Analysis Using FAIR
Data Collection with the RiskLens Workshop
With the specifics of our loss event scenario in mind, we collect the data we need for analysis. Again, the RiskLens platform workshop format guides the process, for instance, to enter estimates including:
- Frequency – How often would a malicious insider likely attempt to exfiltrate PII data?
- Vulnerability or Susceptibility – How strong are our defenses, instance, for data loss prevention – what percentage of the time would a privileged insider succeed in breaking through them?
- Magnitude: What would be the likely legal costs and penalties from losing control of confidential customer information?
Where in-house subject matter experts can’t supply hard estimates, RiskLens can step in with plug and play data collected from industry sources and curated by our Data Science team, greatly simplifying the data collection phase.
Learn more about collecting frequency and magnitude data.
Tip: Think you don’t have enough data? FAIR techniques help you maximize the value of your data at any level. Learn more: Quantitative Risk Analysis: You Have More Data Than You Think.
Run FAIR Risk Analysis
The RiskLens platform runs the data collected for the FAIR factors through 50,000 calculations in a Monte Carlo simulation engine (also widely used in financial and scientific research) to generate a range of probable outcomes in loss exposure for our scenario – results in dollar terms that can be sliced and diced into many views for unprecedented granularity of analysis in cyber and technology risk.
Some reporting capabilities of the RiskLens platform:
Rapid Risk Assessment
Quickly assess many risk scenarios around a common theme (e.g., insider threats), an asset (crown jewel database), a business unit or the entire enterprise, and prioritize them for their probable loss exposure in dollars.
Guide to Using Rapid Risk Assessment on the RiskLens Platform
Detailed Top Risk Analysis
Run an in-depth Top Risk Assessment on each of the most urgent scenarios identified by Rapid Risk Assessment. This is an opportunity to gather data more intensively from subject matter experts, including the relevant history of cyber incidents, the probable threat actors, the costs associated with incident response or secondary effects such as lawsuits, and the controls in place
How to Conduct a Detailed Analysis of a Top Risk on the RiskLens Platform
Aggregated Risk Assessment
Aggregate multiple scenarios into risk assessments for deep insights into the loss exposure of the organization, for instance by type of threat actor or asset.
Report on Risk to Stakeholders, the C-Suite or the Board
The RiskLens platform outputs reports that are easy to follow for upper management or non-technical stakeholders, because they’re in the financial language of business – loss exposure in dollar values.
Here are some FAIR risk assessment example reports:
Phishing Risk
Top Risks
Risk by Asset
Tip: If stakeholders are used to receiving cyber risk reports in qualitative, high-medium-low terms, it’s fairly easy to bring the rigor of quantitative analysis to heat maps and the like. Read this: How to Create Worthwhile Qualitative Risk Analysis Presentations Based on Quantitative Results
Export RiskLens Reports for Easy Presentation of Cyber Risk Assessments
Through APIs, reports from the RiskLens platform can be exported to a GRC or dashboard application such as Tableau. The platform also exports to native PowerPoint presentations. Here’s an example of a PPT export:
Tip: Think Fast – Justify and Prioritize Cybersecurity Investment Decisions in an Hour
Decision Support Based on FAIR Risk Assessment
Based on RiskLens FAIR analysis, organizations get a clear directional picture of their top risks to prioritize mitigations – but through the Risk Treatment Analysis capability of the RiskLens platform, they gain an extra level of decision support by comparing alternative risk treatment options for their effect on reduction of risk from a current state, in financial terms. FAIR analysis can assess the return on investment of adding or enhancing new controls or security processes, as well as see if existing controls are justifying their cost.
FAIR Risk Assessment Examples: RiskLens Case Studies
Get a detailed picture of how FAIR risk assessment guided informed decision-making for these RiskLens clients:
Finance Company Assesses Risk of Data Breach from Shared Storage
Operational Risk from Outage of a Manufacturer’s Order Fulfillment System
Evaluating ROI of Data Loss Prevention Controls
For a demo of FAIR risk assessment on the RiskLens quantitative risk analysis platform – Contact Us