Cyber Risk Quantification (CRQ): What are the 6 Key Success?
You need to make the right decisions to ensure the resilience of your organisation. So, you want to measure the financial impact of cyber risk on your business, so you’re ready to get started with Cyber Risk Quantification (CRQ)!
In practical terms, the CRQ allows you to :
- Better understand the risks faced by an organisation and prepare for them;
- Establish a common language between the technical teams and the rest of the stakeholders in the organisation’s cybersecurity strategy;
- Demonstrate the effectiveness of a safety programme and manage it;
- Increase your credibility with high-level stakeholders ;
- Align cyber risk with the other risks faced by the company.
Cyber risk quantification is a structured, mathematical approach that defines an organisation’s level of risk and exposure. There are several methodologies for doing this, the FAIR method being the most widely used.
Where to start? How can CRQ be integrated into an organisation’s practices? Here are 6 tips on how to get started with a quantification solution and reliably estimate your cyber risk exposure.
1. Operational or strategic: define the objectives for quantifying cyber risk.
To use CRQ effectively, you need to define your objectives and expectations of the method. What are the specific priority use cases you need to address? These may be both operational and strategic. Quantifying cyber risk enables you to address the challenges of prioritising risks, managing your cybersecurity programmes and communicating with management committee members.
For example, it can meet the following objectives :
- Justifying cyber security investments
- Optimise spending on upgrading existing infrastructure and applications
- Make tactical decisions to determine the potential payout from ransomware and optimise insurance premiums
- Assessing mergers and acquisitions or divestment decisions, as well as providing high-level assurance of due diligence activities.
This process of defining objectives is fundamental to your efforts to quantify cyber risk, and may also be useful (or even mandatory) in the context of certain regulations (DORA, NIS, SEC, etc.) that provide a framework for risk management strategy.
By defining objectives, you establish yourself as a “trusted advisor” to your employees, but also to the business lines and management, playing a proactive role in improving the organisation’s resilience and reducing overall exposure to risk.
Who are the stakeholders in defining the objectives?
- ComEx
- CISO/ISD
Citalid’s recommendations
We recommend demonstrating the possibilities offered by CRQ using the most common and profitable use cases, such as prioritising cybersecurity investments and their return on investment, or taking out/renewing a cyber insurance policy. Illustrated in this way, the stakeholders are in line with the expectations of this quantification project.
2. Understand the mechanics of business value creation at a granular level
Quantifying cyber risk by generating financial metrics allows you to speak the same language as the company board. It is therefore an additional way of demonstrating your understanding of the organisation’s business model and the impact of cyber risk on it. Again, by speaking the language of the business, you adopt the stance of a ‘trusted advisor’, facilitating communication between all stakeholders in the organisation’s cybersecurity strategy.
At this stage, you will be modelling the value of the assets, which will enable you to take stock of how the organisation operates. This is fundamental knowledge for your CRQ journey, as it is necessary to accurately quantify your organisation’s financial exposure to cyber risk, but also to ensure your role as a trusted advisor.
What are the prerequisites for this approach?
To begin this process, consult your organisation’s annual report, which should contain much of the data you need to gain a comprehensive view of value drivers, and plan interviews with each business unit,
Thanks to these elements, you will have a precise and granular view of the organisation’s business drivers and will be all the better equipped to link the risk quantification results to the operational reality of the business.
Thanks to this approach, you will be able to define the organisation’s critical assets, as well as the candidates for asset acquisition and the organisation’s level of dependency on IT infrastructures.
Who are the stakeholders needed at this stage?
- ComEx
- Other departments
Citalid’s recommendations
Any form of risk analysis requires you to dig deep into your organisation’s strategy and operations to understand the context of risk scenarios. It is also important to strengthen links with all stakeholders, both strategic and operational.
For greater effectiveness, we invite you to focus this study on the company’s value chain.
3. Defining relevant risk scenarios
What is it?
Cyber Risk Quantification (CRQ) generates estimates of financial impact based on scenarios. These risk scenarios can be complex to identify and materialise, as they have never occurred before. Start by defining the high-level risk scenarios that can be truly significant for the organisation.
What are the prerequisites for this approach?
To define relevant risk scenarios, it is necessary to understand the landscape of cyber threats to which the organisation is exposed. To do this, we can rely on cyber threat intelligence (CTI), a discipline based on intelligence techniques and aimed at identifying and analysing cyber threats. The historical background of incidents encountered by the company is also a relevant source of information for identifying the company’s vulnerabilities and carrying out this stage successfully.
Who are the stakeholders needed at this stage?
- CISO
- Risk Managers
- Security Analysts
- IT managers and administrators
Citalid’s recommendations
Developing scenarios without aligning them with the organisation’s existing control weaknesses and critical assets can lead to lengthy debates between cyber strategy stakeholders and a lack of confidence in the results of risk quantification. That’s why your arguments should reflect your understanding of how the organisation works.
4. Assess your level of defensive maturity
What is it?
Assessing an organisation’s level of security maturity is an essential step in understanding its ability to deal with cyber risks. Several frameworks and models can help to assess security maturity. Here are a few that are widely used: NIST/ISO/CIS…
When assessing security maturity, organisations often use a combination of these frameworks depending on their specific needs, business sector and regulatory requirements. It is essential to adapt the assessment to the context of the organisation and to continually reassess maturity as the cyber security landscape evolves. In addition, the use of external experts or third-party assessors can provide valuable information and an unbiased view of the organisation’s security maturity.
It is important to understand the specific features of the various security standards and to define which one, or combination of them, meets your organisation’s needs. We have recently published an overview of these standards to help you.
Documenting the history of security incidents encountered by the organisation is also a determining factor in the choice of security repository. Thanks to this approach, you will be able to determine the organisation’s level of maturity, the progress of which can be viewed in the “Defense Profile” interface on the platform, using graphs and scores.
Who are the stakeholders needed at this stage?
- CISO
- IT managers and administrators
- Risk Managers
Citalid’s recommendations
Defensive maturity is a journey, not an end in itself. Continuous improvement is essential if your organisation is to remain resistant and resilient in the face of evolving threats.
5. Estimating the extent of financial loss
What is it?
Estimating the extent of losses is a crucial aspect of Cyber Risk Quantification (CRQ), which involves assessing the potential impact of a cyber security incident on an organisation. The aim is to quantify the financial or operational consequences associated with a security incident.
It is necessary to link the expressed risk (increase, decrease and maintenance of the risk) to the results, to the impact on the operational units and on the initiatives at the organisational level. This is a stage at which it is necessary to consult the managers of the operational units, in order to arrive at a relevant and reliable quantification.
What are the prerequisites for this approach?
In order to estimate the extent of losses, it is necessary first to list the critical assets before looking at the other assets that make up the organisation. You also need to have a good understanding of the IT infrastructure and system dependencies.
It is also advisable to consider the impact of losses on employees and customers. In addition to financial losses, loss of confidence can have a significant impact on brand image and trust. This can result in communication and public relations costs. To find out more about the different types of loss, read our article.
Finally, don’t forget to analyse the regulatory landscape. Failure to comply with certain requirements can expose organisations to financial penalties in the event of an incident. When it comes to cybersecurity, some organisations will be required to implement specific measures to improve their resilience. For example, the DORA Regulation, the NIS 2 Directive and the GDPR bring new obligations that need to be considered in your cybersecurity strategy and in your journey to implement CRQ within your organisation.
This step will enable you to obtain a quantitative and financial assessment of the impact by scenario and scope. This will allow you to observe the potential losses, taking into account the impact of the probability of impact on a granular basis.
Who are the stakeholders needed at this stage?
- CISO
- Heads of operational units or departments
- CFO
- General counsel and compliance officers
Citalid’s recommendations
As part of your discussions with stakeholders, Citalid can help you define the financial losses that your organisation could face, thanks to the integration of Bayesian calculation models (probabilities) within the platform.
6. Setting up a governance process
What is it?
The longevity of a cyber risk management programme is often threatened by the departure of the CISO or other project leader. The programme then loses focus.
A governance process for a CRQ programme provides the structure and oversight needed to ensure that cyber risks are quantified in a consistent, reliable way that is aligned with the organisation’s objectives. It contributes to better risk management, informed decision making and the overall cyber security resilience of the organisation.
Part of the governance process is strategic reporting. Quantifying cyber risk allows you to do this by generating accurate, actionable financial indicators, giving you the information you need to fulfil your role as a ‘trusted advisor’ to stakeholders in your organisation’s cyber security strategy.
What will this approach produce?
At the end of this process, you will have created a CRQ Governance Charter, a document that describes the objective, scope, responsibilities and decision-making structure of the cyber risk quantification governance programme.
You will also have produced cyber risk quantification policies and procedures (standardised documents detailing the processes, methodologies and guidelines for CRQ activities).
Who are the stakeholders needed at this stage?
- CIO
- CISO
- Risk Manager
Citalid’s recommendations
Formalise your risk quantification programme in a document to ensure that it is process driven, not person driven. Key elements should include prescriptive use cases, processes, ownership policy and liability guidelines.
By quantifying the cyber risk, you can take your organisation’s cyber security to the next level. You play a central role in defining the cybersecurity strategy and in raising collective awareness of the cyber risk. As an agent of change within the organisation, Citalid has no hesitation in supporting you at every stage of your CRQ journey.