We recently spoke with a potential buyer of RiskLens software and services who is already running an in-house cyber risk quantification solution based on Factor Analysis of Information Risk (FAIR™) — with mixed results. A number of RiskLens customers started out as do-it-yourselfers, and as FAIR’s popularity grows, we’re seeing more and more organizations take a try-before-you-buy approach.
And it’s good. In fact, RiskLens makes the FAIR-U app available free of charge so that anyone can try FAIR analysis on a very limited scale, for example by taking a FAIR training course from RiskLens Academy. We are confident that the benefits of cyber risk quantification will whet your appetite for other RiskLens products and solutions:
Get a quick quantitative read of your cyber risk, based on industry, organization size, location, and other factors.
A simple and affordable managed service that helps organizations quickly define, assess and communicate cyber risk in financial terms with reports from RiskLens risk consultants using the enterprise platform.
The Enterprise SaaS subscription to the RiskLens platform supports rapid, risk-based decisions at every level of the business, from planning a new digital initiative to daily audit results.
But to be clear, FAIR is an open standard, certified by the Open Group, recognized by the National Institute of Standards and Technology and other authoritative bodies, and supported by the more than 13,000+ members of the FAIR Institute (RiskLens is the Institute’s Technical Advisor). This is why FAIR enjoys such credibility as the model of choice for the quantitative analysis of cyber and technological risks.
Because it’s an open standard, FAIR can be run on spreadsheets or DIY applications. But should you? When we spoke to this potential customer, some of their frustrations with their spreadsheet/app solution came to light:
Risk Analysis Workflow
Their app is just a calculator, and that only covers part of a quantified risk analysis. An analyst must go back and forth from the spreadsheets to the application to understand the elements he needs to define a FAIR analysis scenario: assets, threats, loss types, loss events.
>>The RiskLens platform guides the user through the analysis process to create a scenario with a simple workflow much like tax software, with the user selecting assets etc. from drop-down menus .
Data for risk analysis
The DIY solution is scattered and amnesiac. To populate scenarios, the analyst must repeatedly gather data to obtain expert opinion from the business.
>>We emphasize data selection, not data collection. RiskLens offers a wide range of pre-packaged products industry-specific data and scenarios curated by our data science team for use with – or instead of – an organization’s historical data. The RiskLens platform also stores a wide range of items for easy and repeated use in analysis, such as assets, risk scenarios, loss tables, risk ratings and data points such as incident response costs, frequency of loss events, threat actors and strength of controls, to name a few.
Their spreadsheet solution cannot aggregate or compare risks within or across business units to get an overall picture of loss exposure or to confidently identify key risks. To even approach these goals, they have to run multiple scans one at a time, once null. More importantly, if they cannot reliably identify key risks, they may have millions of dollars in exposure to unknown losses hanging over them or millions more in misdirected risk mitigation efforts. .
>>The RiskLens platform’s rapid risk assessment capability in minutes organizes and compares key risks based on dollar value ranges of likely losses. Webinar: See Top Risk Reports in Action.
Benchmarking or cost-benefit analyzes to assess risk treatments
By changing the FAIR factor variables, they can get a rough idea of the effect of controls or other risk mitigation measures, and then control the cost figures for an unreliable cost/benefit analysis. This is an immediate problem: this organization wants to meet the maturity goals for the NIST CSF and needs help choosing among the many controls recommended by this framework.
>>RiskLens’ risk processing analytics capability has automated it all, from baseline risk assessment, to observing the effect based on controls or process changes, to capturing the numbers. from cost, to the final report that compares how the different treatment options quantifiably change the basis risk and the return on investment (ROI) of the options
The workaround also lets users do the reporting themselves, trying to aggregate a series of single scenario results into a cohesive picture.
>>The RiskLens platform offers a wide range of reporting functions to view risk from multiple angles. Use the risk assessment capability to identify and rank loss exposure risks, create a quick report on a single loss event, get multi-scenario views of complex risk and more. Use portfolio management to understand risk by business unit, type of cyber event, revenue stream, strategic initiatives, crown jewel assets, or virtually any other category that meets business needs. Webinar: See portfolio management in action.
RiskLens APIs export scan reports to executive dashboards, IRMs, GRCs, analytics products, and other record systems, as well as PowerPoint and Excel.
For a DIY solution, this organization goes it alone on the support. As experienced FAIR stores know, FAIR is more than a platform – it’s a program, and one that often involves a cultural shift to move towards risk-based and financially sound cyber risk management.
>>RiskLens brings together the most experienced team in the world at setting up a quantified risk management program, from kick-off workshops to give the team hands-on experience in risk analysis, to support to share the latest insights gathered from the largest customer base of FAIR practitioners.
This organization is already on its way to joining the ranks of risk management teams powered by RiskLens + FAIR. Let us show you the power of the RiskLens platform – schedule a demo.
*** This is a syndicated blog from the Security Bloggers Network of RiskLens Resources written by Jeff B. Copeland. Read the original post at: https://www.risklens.com/resource-center/blog/build-or-buy-an-application-to-run-fair-cyber-risk-quantification