Working alongside market-leading partners
What is Risk Quantification?
If you are an organization in the 21st century, you have data, critical infrastructure, and systems you need to protect. The convergence of cyber and physical security necessitates a systematic security risk mitigation effort.
All organizations have a certain risk profile which can be expressed in dollars – the financial cost of a loss event.
Every organization is different. Your valuable assets, threat sources, and loss events will be specific to you. CSS is offering a starting consultation for free, custom and specific to your organization.
Risk Quantification is the identification of key risk elements that drive actionable business decisions.
CSS helps clients demonstrate how investments in security can reduce risk.
City Governments and Cyber Insurance
A growing list of cybersecurity concerns mounted for a large municipal government.
The city requested quantitative risk assessments on their credit card processing and annuity fund management systems. These assessments would go on to help the city make cyber insurance purchase decisions.
Healthcare and Security Investments
The healthcare sector is one of the most highly targeted for cyber attacks.
With the copious amount of sensitive data sets, like personally identifiable information (PII), medical history, and more, cyber hackers think of healthcare databases as a treasure trove of information. One of CSS’ healthcare clients turned to us for a monetary cyber risk quantification to determine if they were spending the right amount of money in the right places for cybersecurity.
Marketing Industry and Payment Processing Risk
Payment processing presents some of the highest levels of risk to a company due to the sensitive nature of the data involved.
A leading marketing company that processes credit cards was scheduled for a periodic PCI compliance audit based on the Payment Card Industry Data Security Standard (PCI DSS) and required a risk quantification as part of the process.
Consumer Products and Qualitative Risk Comparisons
Risk analysis that doesn’t factor in monetary cost can overestimate some risk and underestimate the most devastating scenarios.
A qualitative risk analysis performed by an external auditor provided the client with their top five cyber risks. The client, being familiar with quantitative risk analysis, desired a second analysis to see if the results of the qualitative analysis accurately represented the company’s top five areas of concern.
Who should be involved in risk quantification?
What's involved in a risk quantification exercise?
Identify your threat source
Define the assets that will be targeted
Work through the loss event that presents a tangible loss to your operation
Trained CSS analysts use market-leading software tools to survey the risk data
Analysts determine the likelihood that a security apparatus can be breached
Threat Event Frequency
Analysts determine the likelihood that events will repeat
Risk quantification isn't simply an individual exercise. It's a shift in strategy. After a successful quantification exercise, you can maximize value by applying the model throughout the organization.
Brief leadership and security personnel on what needs to be addressed right away
Work with the security team to build, install, and upgrade necessary security elements. Adjust budgets and allocate resources accordingly.
Establish a regular risk quantification frequency and apply methodology to all sectors of the organization that deal with risk
Publications and Articles
Whitepaper: Reflections on the SEC’s Cybersecurity Guidance: The Rise of the Investor in the Discussion
As cyber risk poses greater long-term impact, investors and regulatory bodies are demanding a higher standard for disclosure.
Over the past year, the cybersecurity world has undergone a major shift as cyber attacks have transitioned from “potential” losses to a company to direct, near term losses for major corporations. From the recalling of hundreds of thousands of medical devices to ransomware attacks that have shut down major facilities, the cyber losses are directly hitting companies’ revenue and value. These losses have now caught the attention of the investment community with a growing cry for visibility into a company’s risk as a result of a cyber attack.
And then the big shoe dropped. The SEC released new guidance for public company reporting on cyber security risk. The guidance is a major expansion of previous guidance on how cyber risk should be reported and is ushering in a new world of how investors, corporations, law firms, and regulators will address cybersecurity in their everyday operations.
Whitepaper: And then the Accountants Showed Up…How the Insurance Industry Will Drive Cyber Security
Under its Evolver brand, CSS released a detailed evaluation of the current trends in cyber insurance and the projected impact these trends will have on the cyber technology marketplace. The paper, titled “And Then the Accountants Showed Up….How The Insurance Industry Will Drive cybersecurity” describes current activities within the insurance market since the Target, Anthem, Sony and other high profile cyber attacks. Additionally, the impact of the growing Internet of Things (IoT) market on the cyber insurance industry is explored. The paper outlines how the insurance industry’s actions will change how cyber products and services will be sold in the near future.
Contact CSS for a Free Risk Consultation
1050 Connecticut Ave NW, Suite #500
Washington, D.C. 20036
8253-M Backlick Road
Lorton, VA 22079
225 Franklin Street, 26th Floor
Boston, MA 02110
7600 East Arapahoe Rd, Suite 306
Centennial, CO 80112