Blog Post
February 12, 2024
For chief information security officers (CISOs), understanding how their organization's unique cyber risk landscape has evolved is paramount. Chronological analysis not only enables risk trends to emerge with more clarity but also provides the essential context required for more informed decision-making.
Moreover, measuring cyber risk over time provides CISOs with a deeper awareness of the impact various initiatives have had on the company's digital defenses, ensuring that, even if the external environment has become overall more threatening, their hard efforts are well-documented and accounted for. As cyber attacks grow in scale and sophistication, this knowledge becomes all the more crucial.
In direct response to this need, Kovrr has officially released our novel Risk Progression feature, which can be found conveniently within our CRQ platform. CISOs wanted a means of knowing how their security control upgrades have helped to decrease the organization's potential financial losses due to a cyber incident over time, as well as the ability to communicate these achievements to key stakeholders. Kovrr now offers this capability.
Each aspect of the feature was designed with this request in mind, providing cybersecurity leaders with defensible data that fosters necessary and meaningful high-level discussions.
With the Risk Position Analysis section of this innovative feature, CISOs can ascertain their organization’s current cyber risk position in relation to two other key metrics: baseline risk and minimal risk. With this comparison, it’s relatively easy to gauge the effectiveness of already-existing cybersecurity measures and controls.
The current risk position, or average annual loss (AAL), represents the expected amount of monetary damage an organization should expect to incur, given its current cybersecurity program. The baseline risk scenario is the expected loss of an organization with the same characteristics (assets, structure, industry, revenue size, location) but without any security controls in place.
The third metric, the minimal risk, also represents the organization with the exact same risk landscape, based both on internal posture and external factors. However, in this case, security controls have been upgraded to their highest possible levels, and they have the most robust security systems in place.
The Risk Position Analysis presents CISOs with a reference point to compare to their AAL, allowing them to visualize how their organization’s risk ranks in relation to the worst and best-case scenarios.
The Risk Progression feature also introduces the Risk Position Score, a very helpful metric that quantifies an organization’s risk posture in reference to the baseline and minimal risk scenarios and is trackable over time. Higher scores demonstrate more effective cyber risk management programs, while lower scores communicate that there is work to be done.
The Risk Position Score can be calculated as follows:
(Baseline Risk - Current Risk Position (AAL)) / (Baseline Risk - Minimal Risk).
The Quarterly Trends section is composed of three statistics that are each calculated based on the changes to the organization’s risk landscape over the previous three months. First is the change in AAL, or the current risk position. For instance, the CISO at the company evaluated in Figure 4 managed to decrease their AAL by 34.21%, which is a significant and impressive result.
The baseline risk has similarly decreased in the past three months by 9.32%. This baseline figure, representing the external cyber risk landscape, reflects a reduction in global attack frequency and costs. Conversely, an increase in baseline risk would suggest an uptick in both attack frequency and costs.
Because both the baseline risk and AAL in Figure 4 have decreased, it indicates that although the external circumstances contributed to the organization’s reduced cyber risk, it was primarily the CISO’s initiative to implement controls and bolster defenses that contributed to this overall success. The increase in the organization’s Risk Position Score is also a positive indicator attesting to the effectiveness of the cybersecurity program.
However, it’s important to note that the Risk Position Score is determined by both the AAL and baseline risk. Theoretically, a CISO might have upgraded multiple controls and adopted cybersecurity tools that contributed to a more robust defense program. However, if the external threats have increased dramatically, the Risk Position Score may only change slightly.
The Historic Quantifications section of the new feature reveals to CISOs the shift of change for the three key metrics (current risk, baseline risk, and minimal risk). With every quantification run, a new data point appears, providing an even wider, more granular view of how the organization's risk landscape has fluctuated over the previous 12 months.
Users can also click on specific data points. They will be directed to the Historic Quantifications timeline, which provides more detailed information on changes made within the organization that resulted in a decrease or increase in the three core metrics.
The Historic Quantifications Timeline demonstrates what changes were associated with each new quantification and how they affected the AAL. For example, as illustrated in Figure 6, the recorded data on January 15 highlights the impact of updates on the organization's security profile. Consequently, there was a 29.74% reduction in current risk, reflecting the influence these changes had on the associated asset groups.
On the other hand, on June 23, three changes were made to a security profile. Coupled with a CRQ model version update, the company experienced a 27.01% increase in AAL. However, because changes were made to both the security profile and model version, the attribution of this increase can not be isolated to a particular variable.
Because Kovrr does not enforce new quantifications for each quarterly model update, it’s crucial for CISOs to run a new quantification before any structural changes if there has, indeed, been a model update unaccounted for in a previous quantification.
The Historic Quantifications aspect of the Risk Progression feature also provides an option to view an organization's cyber risk exposure over time according to extreme loss scenarios. Essentially, this component of the dashboard illuminates how the organization's potential worst-case loss amounts have changed over time. The forecasted financial damages will inevitably be higher than the AAL view, but it nevertheless provides varied insights that the CISO can leverage in high-level discussions.
Users can also review the progression of their forecasted losses according to event type. For example, in Figure 8, the organization significantly decreased its risk in regards to interruption events, while the risk of a data breach, although it fluctuated, remained relatively the same over the past 12 months.
The business impact scenarios are broken down into six types of loss according to the standard cyber insurance categories: Business Interruption, Ransomware & Extortion, Data Theft & Privacy, Regulation & Compliance, 3rd Party Service Provider Failure, and 3rd Party Liability. This part of the Historic Quantifications graph equips the CISO to evaluate potential economic damages their organization faces regarding these categorizations, which is critical for financial planning and risk transfer negotiations.
The final part of the Risk Progression feature is the Historic Quantifications table, which gives a structured view of each quantification and its associated metrics. CISOs can review the quantification’s date, AAL, extreme loss scenario, Risk Position Score, and CRQ model version.
While it offers much of the same information the data points in the Historic Quantifications graph does, this table organizes it in a manner to highlight the gradual change in a much more straightforward manner.
The table also offers CISOs and cybersecurity team members the opportunity to review release notes for every model version. Kovrr strongly encourages users to read the notes, understand what has been changed, and how our new implementations have incorporated the evolving risk landscape.
Kovrr's newly released Risk Progression feature equips CISOs and cybersecurity professionals using our cyber risk quantification platform with a dynamic toolset, enabling them to better understand and demonstrate how their organization's cyber risk posture has progressed. Effective cybersecurity is a never-ending journey, and this new feature ensures that every development is well accounted for.
If you’re interested in learning more about this feature, Kovrr’s CRQ solution, or the benefits of monitoring your risk landscape over time, contact one of our cybersecurity risk experts today or schedule a free demo.