Is it possible to calculate the return of investment on cybersecurity controls?
Traditionally, organisations have struggled to calculate the financial losses from cyberattacks/ fraud and prioritise security investments based on Return of investment (ROI). Frameworks such as APRA CPS 234 demand regulated entities to maintain information security capability commensurate with information security vulnerabilities and threats. However, the APRA CPS 234 framework doesn’t provide enough information to articulate cyber risks in financial metrics with which business executives and board are familiar with. FAIR is one framework that helps quantify the risks and measure the expected financial loss due to a cyber attack.
The FAIR Cyber Risk Quantification Service helps companies to quantify and measure their cyber risks in the same way that financial and operational risks are measured by executives, boards and risk committees. FAIR is followed by 30% of the Fortune 1000, including many large financial institutions such as Bank of America, Fannie Mae, and Federal Reserve. FAIR is also rapidly being adopted by other industries throughout the US, EMEA and APAC.
The FAIR quantification analysis is also compatible with most risk assessments and management frameworks such as NIST CSF, ISO 27001 or PCI DSS which do not have a structured quantification methodology or component. By quantifying cyber risks, FAIR risk qualification:
- Provides concrete measurements on the business benefits from investment in information security.
- Creates a common business language for cyber risk discussion.
- Promotes a culture of prudent investment practice in information security.
Privasec consultants have, for many years been providing practical guidance to organisations to help them meet and maintain compliance to a broad range of professional standards. Here are steps on how our FAIR Cyber Risk Quantification works:
- We apply FAIR analysis against existing and new investments in information security to support and tune the investment prioritisation process and to measure the maturity of your security processes against the NIST CSF and/or ISO27005 (depending on your organisation).
- We work with your team to adopt the FAIR framework to build your internal cyber risk quantification process which produces consistent and repeatable measurements on the potential financial loss from cyber-attacks, before and after the security solution uplift.
- We create a repeatable cyber risk report templates tailored to the relevant boards and committees within your organisations.