bossanalytics cyberrisk
Levelling up your risk management effort to the business level
Connecting with the business level
using key security economics capabilities:
Reporting cyber risk posture in monetary values
Demonstrating optimal security spending
report_problem Connecting cyber risks to business matters
Presenting ROI calculation of new controls
With bossanalytics cyberrisk you can provide the business leadership with a precise and current picture of the organisation’s security posture in their language — money. By reporting how much money is spent on protection, how the spending is distributed, the cost of damages and losses and how open risks influcence these numbers, topped with a 12-months loss prediction, you have the opportunity to refine your valuable connection with the the leadership by providing decision support based on proven scientific methods.
By communicating in a language that tap into the business leadership’s conversation, you create an arena to discuss proposed actions to existing risks, e.g. investing in a new security control, by its financial return.
The risk management functionality links open risks to the organisation’s values, making risk management an integral part of your business leadership dialogue.
The AVENUE concept
An avenue is traditionally a path with a line of shrubs running along each side, indicating the access to or arrival at an architectural feature, i.e. an asset. In a transferred sense, the concept emphasizes an asset-vector centric view of an organisation. Avenue is also an acronym stemming from “Asset-VEctor with Nodes securing Users and protecting from Enemies”.
bossanalytics cyberrisk is based on the AVENUE concept compelling the organisation to identify and value the protectable assets, their risk vectors including the security controls in operation to protect them.
A theoretical loss probability is subsequently calculated per risk vector and asset based on the characteristics of the security controls. When adding actual incident data, the algorithms learn and adapt to make loss predictions more accurately.
This approach forms the basis for connecting your cyber risk endeavour to the business level of your organisation.
Asset identification and valuation
Organisations increasingly recognise that information is possibly the most valuable strategic asset they possess and therefore wish to protect.
The advisable approach to identifying these assets is to view them as a service serving (parts of) the purpose of the business. Examples are internet bank portals, web shops and electronic health record systems. To encircle the asset, include all components, i.e. information, technology and key resources, that must be available to deliver the service. This ensures that the assets are encircled and defined at an appropriate business level and therefore easily communicable.
To assign a value, consider the deprival value and the disclosure value in concert. Deprival value is the cost of damages and losses should the service be deprived in its entirety. Likewise, the disclosure value is pertaining to the service with all its information if disclosed to the public in its entirety. When registering an asset in bossanalytics cyberrisk you have full support in determining the asset value.
Risk vectors and controls
A risk vector is the cybersecurity manifestation of an avenue, the pathway to an asset, where incidents may occur leading to malicious exploitation and potential losses to this asset. It is therefore also along this pathway where security controls are applied and their effect can be measured, e.g. reduction in loss amount.
In bossanalytics cyberrisk you model your risk vectors by adding controls and connect them with relevant assets, and you're ready to check how effective your protection is by the computed loss probability. By regularly collecting incident data and assign it to the vector, the algorithms will consider these facts and learn to improve the predictions.
Risk Management
Manage your risks on a daily basis with bossanalytics cyberrisk and take advantage of the built-in security economics capability to link open risks to the organisation’s values, making risk management an integral part of your business leadership dialogue.
You have full support throughout the risk management cycle from identification thru reporting.
If your strategy is to mitigate a risk, you can test prospective security controls of their worthiness within an existing risk vector, and bossanalytics cyberrisk will provide you with an advice whether it is worthwhile to invest or not. Such information is very valuable to decision-makers .
The Risk Cost principle
Consider an asset, something of value the organisation has or will acquire. Unprotected, the potential loss equals the value of the asset. Once you start protecting it the potential loss will first drop dramatically. Putting more defence mechanisms in place will reduce the loss probability further, but to a lesser and lesser degree. Actually, it has been shown that at some point the utility of a mitigating action is smaller than the utility of the letting the risk materialise.
Risk cost is the combination of cost of protection and the most likely losses anticipated at this defence level in a given time period, usually a month or a year.
In bossanalytics cyberrisk, predictive analytics is used to compute the risk cost, serving as a good indicator on how to prioritise the mitigation effort to distribute the funding where it reaps the most benefit. The higher the risk cost, the more attention it needs.
As illustrated above, risk cost is used for evaluating new mitigating controls to render its financial utility. Based on the nature of the proposed new mitigating control and all other controls working in concert, an investment advice is determined whether you should invest or not.
With this approach you can optimize the organisation's spending and aim for the ideal distribution where you maximise the defence and minimise the spending. We call this balancing operational security spending.