What do Live Nation’s Taylor Swift ticketing debacle and cyber risk have in common? Bad assumptions. Whether you confidently believe that you can anticipate record ticket demand or believe that your payment processing infrastructure is secure enough to handle it, that belief is based on an assumption, and that assumption is based on the past performance of existing models. In Live Nation’s case, the models were wrong.

Cybersecurity faces the same problem. Our security “models” (frameworks and standards) don’t tell us how likely or severe a cyber risk is in monetary terms to the business, making it unlikely that we’ll know whether we’re secure enough. Further complicating the matter, many popular security standards refer to themselves as “risk management” frameworks, promising to measure and manage risk. In practice, they tell us which controls to implement, explain how to classify threats and vulnerabilities, or provide qualitative assessment criteria (like one-to-five ordinal scales) that have proven to be useless for decision-making. We’re managing aspects of risk without knowing the full extent of the risk itself.

My new report, Start Your Cyber Risk Quantification With The Right Framework, guides CISOs through the pros and cons of traditional risk frameworks, defines criteria for a quantitative risk model, and outlines the building blocks for a successful implementation. Consider that:

  • By overlaying a quantitative model on existing security frameworks, we stop making implicit assumptions about risk. Just because a control assessment identifies insufficient security controls doesn’t mean that they equate to “high risks.” On the other hand, if those controls were designed to prevent bot attacks and mediate network traffic spikes during an unprecedented concert ticket sale, quantitative modeling would’ve shown vital probability and loss estimates, which could’ve been used to put preventive measures in place before the sale.
  • Cyber risk is complex. The business can only normalize a risk event’s likelihood and impact when it is quantified financially. Your cybersecurity frameworks aren’t really risk management frameworks — and they don’t need to be. But we do need models to help us reliably measure our cyber risk. Enter the cyber value-at-risk model.
  • In 2023, CISOs are under pressure to better manage cyber risk. But you can’t manage what you can’t measure. Models such as FAIR (“Factor Analysis of Information Risk”) provide a quantitative approach to help CISOs assess and communicate their cyber risk. Don’t let assumptions about your current frameworks and standards stifle your risk management maturity.

Want to learn more? Schedule a guidance session or inquiry with me, and look for my upcoming research about how to create a business case for cyber risk quantification (CRQ) and how to successfully launch a CRQ pilot.