A Tale of Two Threats

How Data and Risk Quantification Shape Today’s World

The cyber-world is no different than today’s physical world for businesses. 74% of U.S. executives place cyber risk among the top three risks their companies face, according to a recent survey by Harvard Business Review Analytics (sponsored by PwC.)

Furthermore, 77% percent of these companies have already completed or started a quantification process to quantify these threats financially. FAIR has been the most popular choice for quantification methodology among these efforts.

Acting Among the Unknowns

Our lives have changed irreversibly since the outbreak of Covid-19. First, we started to take a more proactive approach to life. We now have to be cautious against the unknowns. We avoid crowded places and rely on protective measures such as masks and shields. This is perhaps the exact definition of a “risk-aware attitude” in a physical world.

This same mentality holds for businesses and their ecosystems, namely their cyber landscape.

As attack vectors and new business models emerge from these threats, cyber risk management rises to the forefront of the list. Now you can see why of the 168 US executives surveyed by Harvard Review Analytics, 74% of the respondents named cyber risk as one of the top three risks their companies face. Business interruption risk and device failures fall second on the ranked list, cited at 42%.

How COVID-19 Altered the Cyber Risk Perspective

44% of respondents say better and more granular quantification of cyber risks is one impact of the COVID-19 crisis on cybersecurity.

Risk professionals and in particular cyber risk professionals are now aware that old-school methods are not catching up with the new normal. COVID-19 cast an immense strain upon every facet of our society, affecting the way we will live, interact, and conduct business for decades to come. We live in a data-driven world. With the onset of pandemics, “governments and health organizations have relied heavily on its systems to make informed decisions”. ^[4]

Data analytics, in particular, Descriptive Analytics, Diagnostic Analytics, Predictive, and Prescriptive Analytics ^[2] have been adopted by healthcare organizations, decision-makers, and companies at large. Drilling down into data, detecting anomalies, identifying correlations, and forecasting future trends were among the methodologies used for combating the disease.

Just as the data has enabled delivering infection and immunity rates, projections that present ideal disease testing locations, predict consumer spending patterns, and evaluate decisions regarding the entire product and service ^[2], the enormous growth in data on cyber risk now enables us to make granular and sophisticated risk estimations.

Cyber risk managers need actionable numbers in their risk management process to better direct their budget and focus their resources on managing the highest risks.

Quantification Needed

With the enormous data on cyber events, threats, and costs ^[3], it’s quite clear why risk quantification is a must.

“By determining the likely financial impact of different threats, you can direct finite resources to fend off the greatest threats,” says PwC’s survey. In PwC’s Global Digital Trust Insights 2021 survey, 17% of cyber managers said they have already done this, and 60% are starting to.

FAIR has been found to be the most popular choice for quantification methodology, already used by 9% of survey respondents with over 10,000 employees and 17% with under 10,000 employees. The Open FAIR© methodology defines risk as ”the probable frequency and probable magnitude of future loss associated with a specific event,” or the “economic impact” ^[5]. Having agreed on this definition of risk, it is very easy to understand the economic impacts of third parties, based on your existing work in classification.

These statistics also show FAIR isn’t solely for big companies. 77% of the respondents claim they are initiating some form of risk quantification or plan, with a majority highlighting the need to improve cyber risk management and to prioritize cybersecurity spend.

The top use cases for risk quantification has been:

55% – Continuously evaluate our risk landscape and priorities against changing business objectives
46% – Help evaluate and communicate risks in line with a defined risk tolerance
36% – Identify and justify improvements to, or transformation in, protective capabilities
34% – Measure and compare various threats and risk events on an apples-to-apples basis

Ecosystems & Their Third Parties

An ecosystem includes a variety of living things and nonliving things in a given area interacting with each other. Think of your small ecosystem, the ones you live with, your habitat, and their way of interaction with the outside world. Also realize a threat cast to one of the elements in your ecosystem means a threat to you.

A cyber ecosystem similarly comprises a variety of participants digitally linked to each other. With the core business centered at the heart, the players of a cyber ecosystem may vary from private firms, non‐profits, governments to processes, cyber devices, and even human beings.

We call the entities in such an ecosystem “third parties”. A risk-based examination of third parties is strategic and yields better decisions and outcomes. However, critical elements of good risk management get lost in classification-based systems. Without proper analysis of the third party, appropriate key indicators cannot be identified for that third party, the wrong processes may be automated, resulting in wasted resources and flawed decisions.

The FAIR methodology allows you to move to a true risk-based impact view versus a classification-based approach to risk management. With this information in hand, you can now further improve our understanding of third party risk by aligning a given third party engagement to the corporate risk appetite/tolerance levels. This view will allow you to make more informed decisions on where to best expend precious TPRM resources and better reduce the uncertainty of your risk exposure.

HOW Black Kite HELPS

Risk quantification is no longer a luxury in today’s world. We know that it is a must for businesses to harvest the data and bring in meaningful numbers to their organizations, just like we rely on data and indicators or risk to survive amid the pandemic.

With the Black Kite Open FAIR model, CISOs, CROs, and CFOs have an automated tool that measures the probable financial impact of cyberattacks against your company or your vendors, suppliers, and trading partners — and communicates risks in quantitative, easy-to-understand business terms.

Having the capacity to use an Open FAIR™ assessment at scale for third-party risk management elevates a risk management program. This tool will help attain the goal of cost-effectively achieving and maintaining an acceptable level of loss exposure, while also clearly conveying the breadth of risk factors across the organization.

Receive a free fair analysis report on your company. See the probable financial impact ($$$) to your company, vendors, suppliers, or trading partners.