Enterprises must adopt the right framework to effectively quantify cyber risks

The Bottom Line: Cybersecurity has become one of the top boardroom issues in recent years and it is not a surprise that CISOs are now being mandated to measure and communicate cyber risks in financial terms. Despite the fact that FAIR quantitative risk analysis model is one of the most recognized Value at Risk (VaR) model for cyber risks, enterprises are still not actively using it as a complementary framework to existing risk analysis processes and as a way to translate cyber risk exposure into business terms.

Quantifying cyber risks remains a complex challenge for most enterpises, especially those that do not operate in the Banking, Financial Services and Insurance industry. There is no one-size-fit-all method enterprises can use to analyze and measure cyber risks against business outcomes. Our latest Cybersecurity Pulse study shows that the majority of enterprises are actively using a mix of traditional risk analysis methods to help quantify cyber risk exposure.

• 59% of respondents are actively using vulnerability based methods. Such methods remain the most commonly used, providing a way to consistently scan assets, detect vulnerabilities and rate the significance of findings via a numerical scoring system. These methods leverage the Common Vulnerability Scoring System (CVSS).
• 53% of respondents are actively using “horizon-scanning” based methods to systematically scan internal and external data sources to identify potential threats, risks and emerging issues.

Let’s make it clear, traditional risk analysis methods do not mean ineffective methods, far from that. But these methods do not really allow enterprises to easily translate cyber risks into a business context and create a narrative that will help get executive buy-in on cybersecurity initiatives.

FAIR is a standard risk taxonomy and risk quantification model established in 2013 by The Open Group, a global standards consortium, that has been created with two main goals in mind: enable CISO’s to better calculate return on security investments and keep board members well informed on the probable frequency and magnitude of cyber events. Our latest Cybersecurity Pulse study has revealed that 48% of respondents are using FAIR  on an ad-hoc basis and only 29% are actively using it. A large proportion of enterprises believe in the power and usefulness of FAIR but reality on the ground seems to show that few of them are actively leveraging the framework. In all FAIRness, this is slightly worrying as we would have expected way more enterprises using FAIR. It is not wonder why board and executive teams are still struggling to measure the effectiveness of their cybersecurity initiatives and tie back their investment to bottom-line results.