By putting financial measurements on risk, an objective calculation can be used to provide reporting that is widely understood and comparable with management’s tolerance for risk. These insights will be used to shape strategies by enabling security and risk professionals to speak the language of business leaders, aid decision-making and optimize security investments. Cost/benefit analysis will help organizations determine how to gain the best ROI.
Tip: Consider quantitative risk assessment methods, such as FAIR
Last year, we highlighted how the introduction of quantitative methods for cyber security assessments can allow organizations to understand their financial exposure from cyber risks.
The Open FAIRTM method is an international standard quantitative model for cybersecurity and operational risk licensed by the Open Group. Open FAIR is already being used by 30% of Fortune 1,000 organizations and we expect that more firms will adopt this method as quantitative approaches become more prevalent.
Acuity is one of the very few vendors licensed for Open FAIR and has integrated this risk assessment method into its STREAM Integrated Risk Manager platform. With STREAM, organizations can use Open FAIR for quantitative assessment of risks and then use STREAM’s powerful aggregation, reporting and dashboarding to view financial exposure from cyber and operational risks across the enterprise. STREAM can then use the quantitative data to perform risk-based prioritization of security improvement and model the ROI from potential security investments.