Making your cyber risk analysis decision relevant | Cyber Risk Management | Quantitative Risk Analysis | Decision Support
Model: Quantify and compare risks from your cyber risk matrix. Let me know if you would like a copy! Many of us are/have been using risk matrices for analyzing and reporting cyber risks. I've had a hard time comparing and aggregating risks in a matrix. Its also always been difficult to explain the legitimacy and usefulness of the matrix to subject matter experts and decision makers. (And risk matrices have built-in flaws, like risk risk inversion and range compression) Quantifying your risks can help with all of the above. I've made a model that lets you compare up to 2 items from your matrix. You don't need any calculations or new estimates. 1) Select 1 or 2 items from your matrix 2) Read the upper and lower boundaries for both the probability cell and the impact cell for each. 3) Plot the values in the calculator. You get common statistics and a very nice graph for comparison instantly! The calculator is made without macros, data connections or data tables. All calculations are open for scrutiny and the basic calculations are explained with links to YouTube videos.
It’s an interesting approach, but if it’s starting from a flawed place (risk matricies), aggregation just loses even *more* of the critical context a business leader needs to make an informed, risk-based decision. I applaud your intent in trying to help solve the problem, but I’m not sure this does what’s really necessary. Context is *everything* in risk, and it’s not about comparing numbers and “magic math” used to calculate risk scores from risk matricies. There are better ways to do what people need that are really focused on the objectives they want to achieve, not numbers created for the sake of fitting into a risk matrix.
Sure … I need to know how something that cannot be meassured can be meassured 😀
What probability distribution function are you using for calculating worst case loss (tails), and why?
May I have a copy?
Nope … we won’t. Nope … it’s not the same … and cost a lot less. First you implement a scanner - we have one. Then you know whats going on. Then the business look into the dashboard - there are two main areas … one called ‘THE ATTACK SURFACE’ the other one called ‘THE PROTECT SURFACE’ … The Attack Surface is full with all the ‘vulnerable stuff’ that will bring your business (digital environment) down … the other one (that’s Zafepass) will be empty (for now). Now the business can easily focus on moving one elements at the time … getting IT back in the control seat, movingto one element (digital resource) at the time into The Protect Surface … aka the Controlled Protected Environment. As the scanner runs daily … everyone can follow progress, can see when resources are gone from the Attack side to now reside in the Protect side. Ask anyone on the planet to try breach what is in The Protect Surface. So it’s darn simple … and just to make most readers go mad … what is a threat? to you? to me? if I can avoid the force of any attack - am I threatened then?
Very innovative! Aggregating risk using only matrices is exactly one of the many reasons why quantitative models were developed in the first place. We need to be able to understand how various risks - cyber or otherwise - are related to and augment one another if we want to find the most optimal, cost-effective ways of managing them. As you mentioned, it also makes results much more explainable and reliable. Would definitely like a copy.
Does the fact that your scales are non-linear impact your calculations in surprising/counter-intuitive ways? Would be interested and definitely have to watch your videos…
I’d like to have a copy! And if you’re up to it a discussion around your experiences of presenting a quantitative risk analysis to decision makers. I have my ideas why quantitative methods are the only functional way to integrate cybersecurity into business risk. But it would be interesting to hear your thoughts since cybersecurity is about to become a strategic matter and a management responsibility. What is it they feel they understand now or better than before?
Making your cyber risk analysis decision relevant | Cyber Risk Management | Quantitative Risk Analysis | Decision Support
1wCONNNECT WITH ME TO GET A COPY. I'm barred from initiating more connections, but send a PM. That way i wont miss your request.