Which risk quantification frameworks have you found to be the most effective when implemented?

NIST is probably the most prominent one in New Zealand, but to call it prominent would suggest that it's quite widespread. What we're finding with cyber maturity in New Zealand is the frameworks haven't been investigated much beyond technology-focused companies. Some of our managed IT services providers (MSPs) are bringing in frameworks to offer as an assessment service to their clients and some of the larger cyber security entities are bringing them in. In New Zealand we have the Computer Emergency Response Team (CERT) and their focus is on utilizing NIST. That’s a government body, but it's not so much a Cybersecurity body, it's more of a team to help other companies recover from a cybersecurity incident.

Anonymous Author
NIST is probably the most prominent one in New Zealand, but to call it prominent would suggest that it's quite widespread. What we're finding with cyber maturity in New Zealand is the frameworks haven't been investigated much beyond technology-focused companies. Some of our managed IT services providers (MSPs) are bringing in frameworks to offer as an assessment service to their clients and some of the larger cyber security entities are bringing them in. In New Zealand we have the Computer Emergency Response Team (CERT) and their focus is on utilizing NIST. That’s a government body, but it's not so much a Cybersecurity body, it's more of a team to help other companies recover from a cybersecurity incident.
1 upvotes
Anonymous Author
I like FAIR from a quantification perspective, because it simplifies the risks by articulating them in dollars and cents. That's what I struggle with when numbers are taken to the board. Leadership looks at them and says, "How do I quantify a ransomware attack to that? Is it a billion dollar loss? $10 million?" If I'm paying a $10 million ransom, the board might say there's a reputation loss. Now we’re seeing stock prices drop as a result of ransomware but we didn't have those examples two years ago. I stick with NIST because it's comprehensive—you can get lost in the mumbo-jumbo but there are good aspects of it from a framework standpoint. For both NIST and FAIR, the problem is how do you feed this beast? Your framework should be fed. And a lot of people see it as the responsibility of their compliance person, or risk person to dig into the data. It's becoming more of a one-time exercise during the audit year, or throughout the year, to try using a spreadsheet rather than having a continuous feed of data coming in to be quantified.
1 upvotes
Anonymous Author
I like frameworks but I tend to combine them because realistically, the biggest vulnerability we face today and in the future is the misperception of risk. I learned that a long time ago at Intel and I've seen it over and over again. We misperceive risk all the time. Some of that is driven by the sociological and psychological aspects of the cool, shiny bobbles that cause you to discount risk. Some of it is caused by the target fixation of the security team who overplays a risk card or risk portrait because they're focused on one thing versus contextualizing it against other things. And then some of it is driven by economics as well. For instance, there's no long-term shareholder impact because of a breach—a publicly traded company’s stock outperforms 6-12 months after a breach. If your job on the board is long-term shareholder value and you know there's no impact there, then that's your measurement. So I get hung up on the quantification side, on the dollars and cents.
1 upvotes