{"id":50775,"date":"2023-02-28T00:00:00","date_gmt":"2023-02-28T00:00:00","guid":{"rendered":"urn:uuid:f957ebe4-8fad-cf25-5ef7-1d39be37a324"},"modified":"2023-02-28T00:00:00","modified_gmt":"2023-02-28T00:00:00","slug":"decrypting-cyber-risk-quantification","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/decrypting-cyber-risk-quantification\/","title":{"rendered":"Decrypting Cyber Risk Quantification"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Executive teams are faced with a challenging combination of an increasingly complex threat landscape and a rapidly growing attack surface<\/a>. Together, these two factors are putting the modern enterprise at greater risk of exposure and potential breach.<\/p>\n

For security leaders, understanding the unique risk profile of the organization is not only a critical first step, but a required, continuous process to protect the enterprise against malicious adversarial threats \u2014 whether it comes in the form of a simple phishing email<\/a>, or a coordinated multi-step ransomware attack<\/a>.<\/p>\n

To understand this unique risk profile, organizations can leverage continuous or point-in-time risk assessments. Rating and benchmarking cyber risk offer many benefits and actionable insights to the security team by quantifying and weighing the likelihood of a threat actor gaining access to the corporate environment and the potential impact of this event. Cyber risk ratings can be displayed as a numerical or alphabetical integer and provide a mechanism to track and communicate security efficiency and progress over time.<\/p>\n

Security leaders can leverage cyber risk quantification to prioritize cyber risks, align cyber risks with other risk practices, and elevate and communicate cybersecurity effectiveness outside of the security organization. According to Gartner<\/a>, three out of the top 5 cyber risk quantification use cases target communication of risk exposure to different stakeholders including communication to risk owners, C-level executives, and to the board.<\/p>\n

The evolution of cyber risk quantification: how we got here<\/span><\/p>\n

Historically, due to cost, complexity, and limited readily available data, risk scoring had been deployed through point-in-time assessments and relied on less sophisticated insights like password complexity or data encryption usage.<\/p>\n

As evaluation methods, regulations, and frameworks evolved (i.e., NIST Cybersecurity Framework<\/a>) technology solutions have improved in accuracy by extending the number of security vectors and data inputs in an evaluation and delivering assessments on a continuous and on-demand basis.<\/p>\n

However, with this growth came a new era of proprietary formulas unique to individual vendors. While technological innovation has been significant, end users have been challenged with black box products and limited insight into the mathematical formula and weighted factors used to develop risk scores for individual cyber assets and for the broader enterprise.<\/p>\n

This has made it harder for security analysts and practitioners to know which levers to pull to improve their security posture and implement ongoing risk-informed decisions \u2014 and the black box approach has also spurred skepticism and doubt about the trustworthiness ad intention of a score.<\/p>\n

Criteria for an accurate and trustworthy risk score<\/span><\/p>\n

To maximize the value of cyber risk scoring, we should take six key factors into consideration:<\/p>\n