Why bother with CRQ?
Updated: Feb 28
Cyber Risk Quantification (CRQ) is getting hyped again as the cure-all for cyber risk management. Is it? No, because it’s not needed for every type of cyber risk management decision. And no because there is no “standard” CRQ model or process. The right CRQ tool, applied to a specific, critical risk management decision, can be useful to CISOs and credible to business leaders.
What decisions might CRQ support? One is prioritizing risks. Another is control optimization, i.e., prioritizing and justifying alternative cyber control investments. The reality is that CRQ may not be needed for the former. For the latter, a specialized version of CRQ is needed.
Cybersecurity control optimization is complex due to the dozens of deployed and potential controls, with varying levels of efficacy and costs, which must be mapped against the hundreds of adversarial tactics and techniques (MITRE ATT&CK™) across the thousands of interleaved and overlapping attack paths into and through an organization.
This specialized control optimization (CRQ/CO) model must analyze all deployed and potential controls collectively and individually to understand your security portfolio’s aggregate control strength and rate each control’s contribution to overall risk reduction.
There can be a big difference between a control’s efficacy when evaluated in isolation and its contribution to overall risk reduction. A strong control won’t contribute much risk reduction if it’s on a path that (1) sees few threats or (2) already has deployed strong controls.
Monaco Risk built just such a specialized CRQ Control Optimization (CRQ/CO) model to prioritize and justify alternative control investments. It connects each control’s individual efficacy, to its contributions to risk reduction, calculated in dollars, and visualized using Loss Exceedance Curves to show business leaders the tail risk nature of cyber loss events.
The Cyber Defense Graph™ is our core innovation. It uses causal modeling techniques to simulate attack and control actions. It provides graphical visualizations of control efficacy and your critical attack path weaknesses.
To summarize, Monaco Risk’s CRQ/CO calculates and displays the marginal utility, in dollars, of alternative control enhancements relative to your organization’s cyber threat landscape and currently deployed control portfolio thus:
Enabling collaboration between CISOs and business leaders who set cybersecurity budgets
Resolving the sometimes competing priorities between compliance requirements and security needs
Promoting cooperation between security teams and the IT teams who implement security controls
If you would like to learn about our approach, please check out our website and/or articles I have posted on LinkedIn. Or contact me via LinkedIn or our website.