About CSS

Case Study: Monetary Risk Quantification Validates Healthcare Technology Decisions

April 19, 2019


Monetary Risk Quantification provides insight on social security number storage and security log aggregation


The healthcare sector is one of the most highly targeted for cyber attack. With the copious amount of sensitive data sets, like personally identifiable information (PII), medical history, and more, cyber hackers think of healthcare databases as a treasure trove of information.

Download the PDF


One of CSS’s healthcare clients turned to us for a monetary cyber risk quantification to determine if they were spending the right amount of money in the right places for cybersecurity. CSS is especially qualified to determine the risk of the technology spend due to our many certified FAIR Analysts on staff.


FAIR is rapidly becoming the de facto standard for monetary quantification of cyber risk; increasingly, Fortune 500 companies and government groups use the method for monetary risk calculations that can be briefed to board of directors and other senior leadership.


Because of the tangible nature of CSS’s risk quantification reports, CSS’s clients know how much financial risk they have over their business areas and applications.[/vc_column_text]

The Cybersecurity Problem

The client had two issues:
»» They were using a costly security log aggregation tool as an added layer of security for three core web business applications. They wanted to determine the value they were receiving for this technology investment.
»» The client wanted to determine if they should continue storing customer social security numbers in their system, or discontinue and possibly lower their risk exposure.


CSS recommends performing a baseline risk assessment first and then two risk quantifications as a cost/benefit analysis, providing a decision point for the client.

  • Risk quantification enabled the client to make an informed decision from a financial perspective before technology decisions/investments were made
  • Provided the actual dollar amount of risk exposure
  • CFO and CISO could speak the same language
  • Helped validate the continued use of their technology

Successful Risk Quantification Highlights

»» CSS’s Certified FAIR Analysts started with a baseline risk quantification to see organization’s current status using the RiskLens software.


»» 1st Risk Quantification: security log aggregation tool


»» Perform “what if” scenarios
»» What if the client doesn’t use the tool and relies on their hosting provider to detect and notify security incidents?
»» The client is able to see what their increased risk exposure is and make a decision.
»» In this case, the client determined the investment in the security log aggregation tool was validated.


»» 2nd Risk Quantification: social security numbers


»» Perform “what if” scenarios
»» Weighed the cost of all the technology changes that need to go into effect to remove the social security numbers vs. the risk exposure savings.
»» Determined that since the client is still capturing many other types of PII their risk exposure would only decrease by a nominal amount.

As their trusted information security and information technology provider, this healthcare sector client turned to Converged Security Solutions. CSS’s expertise in monetary risk quantification helped the client make confident technology decisions including confirming the use of a security log aggregation tool and on whether to continue storing social security numbers.


Click here to schedule a free risk consultation and ask questions about how risk quantification be applied to your business.


About CSS

Converged Security Solutions, along with Evolver and eVigilant, provide a full suite of technology services that span cybersecurity, physical security, and IT management. We are ISO 27001 and ISO 9001 certified, as well as CMMI Level 3 appraised.

Share this page: