Measuring cyber risk in Francs, Euros, or Dollars, allows security leaders to demonstrate their return on security investments (ROSI), and work with senior executives to determine acceptable levels of risk. Ahead of the Global Cyber Conference, Samir Aliyev, CEO and Founder of the Swiss Cyber Institute, takes the opportunity to speak with Gaurav Banga, Founder and CEO at Balbix, a leader in cybersecurity posture automation, about cyber risks quantification, the specific strengths and weaknesses of the Factor Analysis of Information Risk model, and why organizations still struggle to quantify their cyber risks. Read the interview below.
SA: First off, thank you Gaurav for joining us at the Global Cyber Conference. Can you tell us why is it important for organisations to quantify their cyber risks?
GB: From our perspective, CISOs should quantify cyber risk in monetary units for several reasons:
- To communicate cyber risks to senior executives, the Board, and business risk owners in a language these stakeholders understand – money units.
- To prioritise the mitigation of cybersecurity risks based on their potential business impact.
- To determine the ROI of security controls and to demonstrate the overall effectiveness of their security program in reducing risk.
SA: How advanced are organizations today in quantifying cyber risks?
GB: Very few organizations quantify risk in monetary units (e.g., Francs). Industry surveys show that 80 percent of firms use some sort of ordinal scale, e.g., risk scores from 1-10 or red-amber-green, to quantify cyber risks. Unfortunately, a risk score of 7 means different things to different people, an acceptable level of risk to some while completely unacceptable to others.
Furthermore, most organizations use qualitative human input in their risk calculations, rather than actual operational data. An example of this is the FAIR methodology for calculating risk. This subjectiveness leads to a gap between the risk numbers reported and the ground truth.
The manual-intensive nature of such risk calculation approaches limits the frequency at which risk assessments can be performed, typically once every few months. As a result, most cybersecurity decisions are based on stale information.
We are optimistic, though, as an increasing number of organizations around the world are beginning to use automation and machine learning to quantify risk via continuous and rigorous analysis of operational data. Beyond efficiency and accuracy, a key benefit of automating CRQ is that the calculated risk changes in real-time as new threats or vulnerabilities emerge, as security issues are addressed, or as various other daily changes happen in the enterprise.
SA: What are the specific strengths and weaknesses of the Factor Analysis of Information Risk (FAIR) model for cyber risk quantification (CRQ)?
GB: FAIR provides CISOs with a framework for thinking about cyber risk where risk is calculated as the product of likelihood (Loss Event Frequency in FAIR parlance) and impact (Loss Magnitude). This aspect of FAIR is sound and has proven its utility, and we utilize a similar risk equation at Balbix.
Unfortunately, FAIR has proven to be very difficult to operationalize notably with regard to inputs and outputs. The input to FAIR is typically manual and does not scale with the complexity of the modern enterprise attack surface. This data is input by scenario-related “experts” or consultants. Often, the required data is not available and the input into FAIR is essentially made up by the consultants.
In terms of outputs, FAIR uses a (Monte Carlo) simulation model to provide a loss impact distribution – a high-level probable financial impact of risk. This output is not traceable back to issues driving the risk, nor does it provide actionable steps to mitigate risk and improve cybersecurity posture.
SA: Today there are dozens of cybersecurity tools and applications on the market. Nevertheless, most organizations still struggle to quantify their cyber risk. Why is that?
GB: Despite having dozens of security tools, most security teams we talk to have few insights. They do have mountains of data, but this data is siloed across their tools.
Some organizations have a custom process that moves data from their tools into a centralized data lake. This is followed by analysis with Excel or via business intelligence (BI) tools to calculate cyber risk.
Unfortunately, most Do-It-Yourself (DIY) projects for cyber risk quantification have not succeeded. This is primarily due to underinvestment in data engineering, machine learning, and other experts needed to implement such a system. The skills required to ingest and analyze petabyte-scale data are not easy to come by and are expensive.
Alternatively, some organizations engage outside consultants who follow a FAIR-based or similar process, with all the challenges and disadvantages of FAIR that we touched on earlier.
We built Balbix to address the challenge of automating cyber risk quantification and cybersecurity posture management. Balbix ingests data from existing cybersecurity, IT, and relevant business tools to understand every aspect of their cybersecurity posture and build a unified cyber risk model.
Unlike FAIR, Balbix calculates risk on an asset-by-asset and group-by-group basis. Security teams can trace risk (in money terms) to the underlying assets and vulnerabilities driving the risk. Balbix also provides options for remedial actions. CISOs can also slice and dice their network in dozens of ways and report on cyber risk by a line of business, by site, by the business owner, by type, etc.
Businesses can automate inventory of their cloud and on-premises assets, conduct continuous risk-based vulnerability management and quantify cyber risk in money units for better cybersecurity decisions.
SA: Thank you Gaurav for sharing those insights, we look forward to hearing more about it in the “Future of cyber risk quantification” track session.
At the Global Cyber Conference, Gaurav Banga hosted an expert panel on September 22, 2022 with Daniel Gisler, Group CISO at Oerlikon, and Paul Kelly, Former Global Head of Cyber Risk at HSBC, to discuss the benefits of cyber risk quantification and how companies can operationalize CRQ in their cybersecurity program.