The Limitations of Cyber Risk Assessment Tools

Several months ago, I was asked by an executive, “ how much should we be spending on cyber insurance?" . A reasonable question – one which had me searching for a tool that could help me both frame and answer the question. I decided to reach out to my network for suggestions, and several people pointed me to the FAIR Framework. This felt like a reasonable fit, I was familiar with FAIR and had used it in the past. However, after persisting with FAIR for several days, it soon became clear that FAIR wasn’t the right tool for the job. Not all cyber risk tools are fit for the job. In this second instalment (Part 1 here), I share my thoughts on cyber risk tooling and examine situations in which certain cyber tools are preferable, and situations in which they are not. CYBER RISK ANALYSIS I wanted to start this discussion by briefly discussing cyber risk analysis. In Part 1, I showed that the typical cyber risk management process looks something like this: Identify risks Analyse risks usin

The Pitfalls of Cyber Risk Assessment

In my previous post, I discussed the ambiguous nature of cyber risk. There was some healthy engagement on the topic, and I thought I would continue from where I left off. In this two-part post I will explore some shortcomings of the cyber risk assessment practice and follow on by looking at when certain risk techniques should and should not be used. The Cyber Risk Assessment I’m going to start off with something that would be familiar to many of you: the risk workshop. For those that are unfamiliar, the basic premise of this risk activity is to bring people together to brainstorm ideas about “bad things that might happen”. These ideas are then typically prioritised on a company risk matrix (heat map) and later organised in a list, to be tracked and periodically communicated. This process, whether done in a group or an individual setting, is fairly typical of most cyber risk assessment methodologies. A typical cyber risk assessment methodology will look something like this: Identify ris

Defining Cyber Risk

The more I learn, the more I realise how little I know. This is especially true for  risk . I have been practicing risk management (whatever that means) for a little over 10 years now. Even with this experience, risk still confuses me. You can hardly blame me; especially when the industry  itself  can't agree on what risk is. Take, for example, this list of risk definitions I compiled from industry sources. Not only does each standard have its own distinct way of describing risk, they each have their own way of calculating risk, too! Before going further, I want to briefly diverge and discuss where I see cyber risk in the broader risk picture. There’s a great HBR article by Robert Kaplan and Anette Mikes on risk strategy which I highly recommend (you can check it out  here ). In it, they discuss three broad categories of risks: Preventable Risks, External Risks and Strategic Risks. Each has their own distinct way of dealing with risk. Preventable risks  are those risks that arise f