Security risk reporting is notoriously difficult, with the complexities surrounding attack vectors and concatenated vulnerabilities leading to challenging conversations with technical and non-technical audiences. This has resulted in often simplistic graphics being used to drive the message home – frequently involving colour – green, amber, red. But what happens when you have a heatmap or a series of traffic lights which are all the same colour? What area being reported on should have the priority?
Quantitative risk assessment, when done well, will allow a business to assess the financial impact of a risk, both in terms of the costs of making changes to the security posture and the potential impacts of a security breach. By attaching a financial value to each assessment, whether that is being done as a modelling exercise or as an element of the enterprise risk management process for new or existing services, brings security risk assessment into a recognisable format for both technical and non-technical audiences alike. It permits prioritisation based on expenditure and impact assessments, as well as driving a culture of accountability and responsibility across an organisation for actions being taken or to be taken.
Whilst security is often expressed as the need to maintain confidentiality, integrity and availability, for many businesses this results in a less focused approach to control and remediation as assets (for example) will have requirements in all three of the categories.
CSR solutions specialise in quantitative risk assessments and are exponents of the FAIR (Factor Analysis of Information Risk) methodology.