Quantifying and Prioritising Cyber Risk in Enterprises - is it ever enough? [Riskquant Part-1]

Quantifying and prioritising cyber risk is a difficult and expensive task that enterprises get wrong more often than right. What alternatives methods are there?

· 7 min read
Quantifying and Prioritising Cyber Risk in Enterprises - is it ever enough? [Riskquant Part-1]

The conundrum that we face: 'When do you know when you've got your cyber security wrong? A relatively easy one to answer, however, 'When do you know when you have got your cyber security controls right?' A more difficult question to answer by far. This post explores a new approach and method to quantifying risk.

Risk Management and Mitigation is one of the hardest and coincidentally one of the most expensive on-going activities undertaken in an enterprise as you try to prevent any cyber security risks.

It becomes further complicated when it's combined with the development of new digital channel offerings and innovation within your business. Enterprises typically spend vast sums of money to get an understanding of their threat landscape and despite their best efforts are usually behind the 8 ball when it comes to both quantifying and subsequently prioritising risks to be mitigated via control mechanisms.

Maturity based approaches

Maturity assessment approaches have been used as the the main driving force to manage cyber-risk and still appear to be the norm today. Businesses try to achieve a level of maturity by building on certain defined capabilities to meet framework requirements such as building out Multi-Factor authentication for all of the organisation to reduce identity theft or deploying monitoring and control capabilities such as Cloud Access Security Broker (CASB) or Data Loss Prevention (DLP) tools to protect company data from ex-filtration methods.

As businesses organically grow, new technologies are piled on, new solutions are built and the complexity of the environment grows exponentially. This has the unfortunate side effect of putting more strain on the controls and monitoring tools that were deployed to the organisation resulting in increased cost and a subsequent drop in effectiveness. The end result is the necessity for more risk spend in an effort to add additional controls whilst trying to maintain flexibility to the point of fault. Organisations then start monitoring everything without much thought around which high risk assets they should be paying more attention to. This leads to a perpetual effect of inefficient spending by the Board and most likely an increased risk as security teams are stretched and cyber initiatives and transformation project end dates are missed.

A Change in approach could be considered

What if we were to change the strategic approach and specifically focus on reducing enterprise Cyber risk by specifically taking a proactive risk based approach to identifying those risks that pose the greatest threat to the on-going health of a business.

High Risk, High ROI, Low Risk Low ROI.

By specifically identifying those risks that are classified as high risk, senior management can aggressively target them to obtain the best return on investment and achieve a reduction in risk within the allocated spend from the Board rather than just focusing on meeting a specific defined framework.

The Riskquant tool

Here's quite an innovative approach to this challenge. I'm going to spend a bit of time exploring the tooling developed by Netflix to see if we can identify and prioritise key risks in a business scenario through it.

Riskquant is Netflix's risk quantifying toolkit that was created in-house and has just been released as open-source as at March 2020. After Netflix released this tool I thought it would be worth exploring how it works! The idea of this article is to distil and understand how this tool works and see if we can move from a maturity based approach to one that has a better focus on risk, impact and return on investment.

If you're keen to follow along I have a separate article covering the steps I took here

Netflix has used the FAIR on this occasion which is: The Factor Analysis of Information Risk framework to understand how to quantify risk for their platform.

Using their words, it involves forecasting two quantities:

  • Frequency of loss over a period of a year. There are many examples that can be applied. Here's one potentially lower risk example e.g. how many times do you think an employee from the IT department will become an insider threat and steal, sell or more likely lose or accidentally make public personal identifiable data contained within your Identity platform or CRM platform.
  • And secondly identifying what the magnitude of the loss would be in a dollar figure, ideally identified from within the business across multiple executive levels. In the tool, this is defined via two variables the "low loss and high-loss scenario's" via a dollar figure. This is tied to a 90% confidence interval which is essentially saying that we are 90% confident that the $ figure loss will fall between these two values for this risk if they are realised. The tool also ensures there is a long tail for high losses which allows for ongoing costs to remediate the realised risk past the high-loss scenario.

So let's now plug these two items into the tool....

Using Riskquant to quantify risk

Let's consider what this might look like for a commercial business. Here's a factitious example where a limited budget is allocated by the Board....(all figures are arbitrary and are for illustration purposes only)

Funding Request:

"After a few discussions with the broader cyber team and the Board, I've identified a small list of threats that are possible for this business. The board have agreed to spend $10k for the first half of the year to mitigate as much risk as possible and are expecting a report to quantify the risk reduction return on investment".

Scenarios identified:

1) The user portal is knocked offline due to a denial of service attack from an outside threat actor resulting in no one being able to access their accounts or perform activities relating to it.

  • Impact: $5,000 up to $15,000 per denial of service attempt on the portal depending on how long it goes on for
  • Likelihood: We anticipate this would likely happen around 0.8 times a year.

2) Internal Customer data was leaked due to an internal threat actor or external attack:

  • Impact: Ranging from $10,000 - $50,000 for an internal leak and between $150,000 to $500,000 if the data is ex filtrated by an attacker to the dark web for sale.
  • Likelihood: The probability of an internal leak is 0.6 events per year and an external leak is 0.3 events per year or specifically right around once every 3 and a bit years

Fantastic, now that we've defined the two cyber security risks, their associated impacts and the likelihood of them happening, we now need to input these into the riskquant tool to understand which one I should spend my $10k on.

This tool takes a leaf from financial modelling where a log-normal distribution is used to indicate the potential returns of a stock over a period of time. We're doing essentially the same by modelling the impact value with the log-normal distribution and utilising the distribution mean as the expected loss for each threat.

Lognormal distribution of loss magnitude

An interesting side note - a log normal distribution would also likely be used for defining the rate of the spread of the Covid19-pandemic currently happening with reference to trying to "flatten the curve" and on aircraft to understand fatigue-stress failure lifetimes of components in order for them to be replaced prior to causing any unsafe flight events.

For our example here's the csv file i'm going to run through the tool (Formatted for readability):

List of risks and loss probability the tool consumes

The Results

When we run the tool it provides a prioritised .csv file of the risks and their associated expected annual losses based on its calculation.

Prioritised list of risks from the tool

I'll stop the example here as there are a magnitude of other variables that you can plug in to the tool to test other theories and I encourage you to try it. We've got to a point where we've massively improved our decision making capability already. It gives us great visibility and a strategic overview of each risk based on their prioritisation and expected annual losses each year. This means we can start to work out where we want to distribute our Cyber Security budget. If we're allocated $10k to spend on uplifting capability in order to reduce risk we can easily look at our spreadsheet and see if we can now identify ways to reduce the risk of losing Customer data to external threat actors through exfiltration methods.

Board Graphic showing identified risks and their priority based on their annual $ figure loss risk


This tool provides the ability for us to provide a quick return on our $10k investment with demonstrable results with the likelihood of it being able to financially justify further spend in future. This report also helps to provide the Board with visibility of Cyber risks associated with their business in a quick and easy quantifiable and prioritised manner.

If you're keen to try it yourself I have a separate article on how I setup RiskQuant here