Cyber Risk Quantification (CRQ): Theory vs. Practice
CRQ is appealing, in theory, because it communicates cyber risk to business leaders in dollars so they can manage cyber risk like other strategic business risks.
However, for useful results in practice, CRQ faces two key challenges:
First, to credibly estimate the likelihood of a risk (loss event), the threats, controls, and attack paths must play a central role in the CRQ model. Without including all three, the process is little more than a guessing game.
In addition, since each risk involves thousands of potential attack paths into and through the organization, the efficacy of all the controls on those overlapping attack paths must be analyzed collectively to calculate which ones will have the biggest impact on overall risk reduction in dollars.
Justify Control Investments
Compare the financial impact on risk of alternative control investments to the status quo using Loss Exceedance Curves.
Financial analysis is derived from Monaco Risk's Cyber Defense Graph simulation software. The nodes of the graphs are controls and the edges are attack paths.
Move Cybersecurity from Compliance-based Risk to Risk-based Compliance
Compliance-based risk management is adequate for basic certifications and accreditations.
Risk-based Compliance means using the risks of concern to leadership to drive the security program.
Compliance frameworks define what you need. Risk analysis provides the context for how you meet those requirements with controls.
Bridge the cybersecurity-business risk gap by connecting control efficacy metrics to cyber-related business risk in dollars
Monaco Risk provides decision-support software and services that bridge the gap between security teams who generate control metrics and business leaders who manage strategic risks in financial terms.
This enables CISOs and their security teams to collaborate with business leaders to set and optimize cybersecurity budgets, select alternative risk mitigation investments, and establish a mutual understanding of risk appetite and tolerance.
Monaco Risk's Cyber Defense Graph technology ranks controls' abilities to detect adversarial tactics and techniques across all attack paths. Then Monaco Risk's financial models calculate their relative contributions to risk reduction and display the results using Loss Exceedance Curves.
Justifying cybersecurity investments to skeptical business leaders can be difficult. Presenting a financial analysis of a single proposed investment is inadequate because it does not include a comparison of alternatives that were considered. In other words, the ability to rank the impact of alternative investments in financial terms increases credibility and the likelihood of approval.
In addition, business leaders need to understand the relevance of the proposed cybersecurity investment to the loss events which they are concerned about.
Monaco Risk's process and software address both of these issues. For each risk of concern to business leaders,
Monaco Risk's Cyber Defense Graph statistically models attack paths and related controls that prevent and detect adversarial techniques.
The Cyber Defense Graph's ability to take attack paths into consideration is critical because a strong control may not reduce risk significantly if it's on a path that does not see many threats, or on a path with other strong controls.
For each risk of concern to business leaders, Monaco Risk generates a Loss Exceedance Curve chart that compares the baseline (status quo) with alternative controls' impacts.
Justify control investments based on the financial impact on the risks of concern to business leaders
Move Cybersecurity from Compliance-based Risk to
Compliance-based Risk is our term for a risk management process that’s adequate for basic certifications and accreditations. But it does not help security teams prioritize and justify control investments or help executives set cybersecurity budgets to manage cyber-caused business risks.
Risk-based Compliance is our term for a process that treats cyber risk as a strategic business risk. Instead of risk management being just a component of a compliance framework, it becomes the overarching driver of the security program. It provides the context for making the necessary trade-offs that inevitably arise due to limited budgets and resources.
Compliance frameworks describe Requirements and Practices, i.e., what must be done. How you allocate budget to meet them is about prioritizing and justifying investments in Controls.*
*Controls involve people, processes, and technologies. They include policies, procedures, safeguards, and countermeasures. In other words, Controls are what you have control over.