About CSS

Case Study: Risk Quantification Validates Healthcare Technology Decisions

April 11, 2019

Monetary Risk Quantification provides insight on social security number storage and security log aggregation


The healthcare sector is one of the most highly targeted for cyber attack.  With the copious amount of sensitive data sets, like personally identifiable information (PII), medical history, and more, cyber hackers think of healthcare databases as a treasure trove of information.


One of Evolver’s healthcare clients turned to us for a monetary cyber risk quantification to determine if they were spending the right amount of money in the right places for the cybersecurity. Evolver is especially qualified to determine the risk of the technology spend due to their many certified FAIR Analysts on staff.


FAIR is rapidly becoming the de facto standard for monetary quantification of cyber risk; increasingly, Fortune 500 companies and government groups use the method for monetary risk calculations that can be briefed to board of directors and other senior leadership.


Because of the tangible nature of Evolver’s risk quantification reports, Evolver’s clients know how much financial risk they have over their business areas and applications.


The Cybersecurity Problem

The client had two issues:
»» They were using a costly security log aggregation tool as an added layer of security for three core web business applications. They wanted to determine the value they were receiving for this technology investment.
»» The client wanted to determine if they should continue storing customer social security numbers in their system, or discontinue and possibly lower their risk exposure.



Evolver recommends performing a baseline risk assessment first and then two risk quantifications as a cost/benefit analysis, providing a decision point for the client.


 Successful Risk Quantification Highlights


»» Evolver’s Certified FAIR Analysts started with a baseline risk quantification to see organization’s current status using the RiskLens software.


»» 1st Risk Quantification: security log aggregation tool


»» Perform “what if” scenarios
»» What if the client doesn’t use the tool and relies on their hosting provider to detect and notify security incidents?
»» The client is able to see what their increased risk exposure is and make a decision.
»»  In this case, the client determined the investment in the security log aggregation tool was validated.


»» 2nd Risk Quantification: social security numbers


»» Perform “what if” scenarios
»» Weighed the cost of all the technology changes that need to go into effect to remove the social security numbers vs. the risk exposure savings.
»» Determined that since the client is still capturing many other types of PII their risk exposure would only decrease by a nominal amount.

Share this page: