Advances in the Quantification and Management of Risk

There’s a certain type of scoffer who mocks people who are concerned with risk by saying, “You take a risk going out of your house in the morning…” In other words, life is risky, so deal with it. Take the risk. Don’t overthink the risks you face. You could be dead five minutes from now, after all.

True, what about but the rest of us normal people who want to stay safe and live to fight another day? We have the disciplines of risk quantification and risk management. It is possible to estimate the financial impact of a risk, within a certain range. It’s also possible to manage risks as a way to mitigate their potential financial impact.

What Is the Potential Financial Impact of a Risk?

Jack Jones, Co-Founder of RiskLens, has addressed himself to this question for many years. His origin story in risk quantification involves time spent as Chief Information Security Officer at a large insurance company. As he recalls, he went to the firm’s CEO asking for additional budget for cyber security. The CEO asked an obvious question that turned out to be difficult to answer.

“What will it cost us if we don’t make these improvements in security and something goes wrong?” asked the CEO. Jones’ answer at the time was, “I don’t know… a lot.” The CEO then asked, “If we make the investment, how will that change the cost impact of the security problem?” Jones responded, “It will be less.”

“What will it cost us if we don’t make these improvements in security and something goes wrong?” asked the CEO. Jones’ answer at the time was, “I don’t know… a lot.”

Jones had two realizations at that moment. One was to see how the CEO’s questions were totally appropriate and relevant. The other was that he needed much better answers than “I don’t know” and “The risk will be less” if he wanted to get budget for security. Security is a business issue. Security managers need to talk about their work in terms of dollars and probabilities. Vague requests will never accomplish much.

Jones then went on to develop the FAIR model, a framework that can reliably measure cyber risk qualitative and quantitative terms. FAIR has been adopted by the OpenGroup. The FAIR Institute, a non-profit, has more than 5,000 members worldwide. It’s goal, as Jones explained, is to lift the profession out of the “dark ages” of risk measurement.

RiskLens commercializes the FAIR model. It works using a process comparable to classic “decision theory,” borrowed from the field of economics. In simple terms, the process identifies a cost for a predicted event and then determines a present value for the risk based on the probability of it occurring. Thus, a 1% probability of a billion-dollar cyber loss might be valued at $10 million. It is wise to spend up to $10 million mitigating this risk.

Obviously, RiskLens’s process is more complex and nuanced than this example, but the basic idea should be clear. RiskLens is complementary to threat intel processes. The tool can assign values to newly discovered threats. The goal is to translate threats into a financial assessment of risk exposure. RiskLens can also be used to do “what if” modeling of potential threats. This is also useful in the security planning. The company allies itself with MSSPs and partners with the major consultancies. It also integrates with RSA Archer as well as with solutions like ServiceNow.

What to Do about Risk

Putting a dollar value on your risk exposure is an essential, but incomplete step in risk mitigation. You have to then do something about it. To this end, a number of vendors provide solutions for risk management.

Symmetry, for example, offers ControlPanelGRC, a platform for  Governance Risk and Compliance (GRC) and Continuous Controls Monitoring (CCM) for SAP environments. ControlPanelGRC automates compliance processes that have traditionally been manual. Given the prevalence of SAP as a core financial and operational management system, it’s natural that many serious financial and compliance risks emanate from the SAP stack. ControlPanelGRC enables efficient management of those risks, particularly access controls like Segregation of Duties (SoD).

LogicGate is similarly involved in offering solutions for operationalizing risk management. Their solutions function a bit like Business Process Management (BPM) tools. The advantage of this approach is that it enables non-specialists to participate in the risk management process. “In a big company, the people who are accountable for risk management, the C-Suite, may be removed from the operational side of the process,” explained Matt Kunkel, CEO of LogicGate. “Our solution provides a connector between operations and risk management leadership. This makes it possible to align the functional aspects of risk management with leadership priorities.”

“In a big company, the people who are accountable for risk management, the C-Suite, may be removed from the operational side of the process,” explained Matt Kunkel, CEO of LogicGate.

LogicGate gives end users a Visio-like application to build risk quantification and management processes. It has templates for risks and controls. “Our goal is to help the customer reduce the person-power required to engage in meaningful risk management,” Kunkel added. “The big, framework-centric approach which is favored by the major consultancies is not suitable for everyone.”

Photo Credit: ahmtpsyc Flickr via Compfight cc