Bitsight Financial Quantification (FQ) is a form of Cyber Risk Quantification (CRQ). It offers companies insight into business impacts and financial loss exposure from cybersecurity incidents.
The Bitsight FQ model combines real historical cyber loss data, risk-correlated performance measurements, and an organization’s firmographic profile to provide tailored CRQ data in financial terms.
FQ results are presented in a dashboard. The dashboard elements take into account common enterprise risk management best practices to facilitate informed decision-making and action on key use cases:
- Single Loss Exposure (SLE) illustrates what a company can expect to lose due to a single cyber event (e.g., “If we were to have a loss, what would the likely outcome be?”). The Cyber Loss Exposure graph and the likeliest potential loss range are based on SLE.
- Frequency forecasts the likelihood of experiencing a cyber loss in the next 12 months based on a company’s overall security performance and exposure. Understanding frequency can help a company design preventative measures and response strategies for particular kinds of security incidents. This estimate is integrated into a financial loss model and is used, through simulation, to determine Annualized Loss Exposure (ALE).
- Annualized Loss Exposure (ALE) combines both frequency and impact to create a metric which can be used to compare impact scenarios which may occur on different time horizons. (e.g., “What are our top risks? How do I compare a low probability, high impact risk to a high probability, low impact risk?”).
- Peer Comparison puts your financial risk into a larger context, allowing you to see how you compare to your peer group.
Financial Quantification Model Overview
Bitsight's FQ model generates exceedance probability (EP) curves based on its assessment of a company's cyber risk. These curves represent the range of possible financial losses resulting from a cyber incident and the likelihood of a loss scenario occurring over a year.
Step | Description |
---|---|
Baseline Risk Quantification |
Creates a baseline cyber risk profile using:
Baselines for the Frequency of loss events are established. Baselines for each impact scenario are established. |
Company Risk Profile |
Fine-tunes a risk quantification to a specific company using:
|
Company Risk Quantification |
Combines the Company Risk Profile and Baseline Risk Quantification to produce the final FQ results, including:
|
Establish a Baseline Risk Quantification
Firmographics
We use key firmographic information with strong correlations to financial loss exposure to establish a baseline risk profile. Some of this information is collected during FQ setup. The setup process asks for a company’s industries, operating geography, and revenue as well as information about the volume and nature of data it handles to match it to a peer group and establish a baseline set of loss distributions.
Peer Grouping
Real Historical Loss Data Set
We use real historical cyber loss data to inform and calibrate our risk models. The data set is based on both private and publicly available information on cyber losses from sources including cyber insurance claims, regulatory filings, public company disclosures, and court filings and judgements. This dataset is one of the most comprehensive available. There are over 160,000 cases in the data set covering the last ten years, and it is updated regularly.
Peer Group Determination
Peer losses are selected from our dataset to establish baseline loss distributions. Losses are selected from companies that are similar to the company being evaluated across key firmographic dimensions including industry, sub-industry, country and region, size, and data volume.
Cyber Risk Impact Scenarios
We analyze losses by impact scenario as well as overall. An impact scenario is a combination of damage types that share a particular business impact. This allows you to understand not only the likely total loss amount but also the nature of those losses and the impact to your business. One cyber event may correlate to multiple impact scenarios. For example, a single ransomware malware infection may result in losses from multiple impact scenarios (Ransomware & Extortion, Business Interruption, Data Theft & Privacy).
Impact Scenario | Description | Possible Damages |
---|---|---|
Ransomware & Extortion | An attack involving malware blocks user data access unless a ransom is paid. For example, a company impacted by the WannaCry ransomware attack would fall under this scenario. |
|
Business Interruption | A disruption of business operations. An example would be a hack that results in the crash of a website or ATMs. |
|
Data Theft & Privacy | An attack in which data is stolen. For example, a hacker exfiltrates data from a company. |
|
Regulation Compliance | Any business practice that causes a company to not comply with local laws and regulations. For example, a company that shares sensitive data without user permission and violates GDPR consequently receives a fine. |
|
Third-Party Service Provider Failure | An attack that impacts a company's third-party experience. For example, an attack where hackers take advantage of a software vulnerability to gain access to a company’s data. |
|
Frequency
In addition to the financial damages and magnitude of a particular loss, it is also important to understand the likelihood of experiencing loss in a given timeframe. To show this, we establish a baseline probability distribution in a similar method to the loss distribution. In addition to the case dataset, we also include several other sources of data which are helpful in establishing the frequency of certain events but lack the financial impact data necessary for the loss distributions. This allows us to include several thousand more confirmed and validated incidents.
Create a Company Risk Profile
Establishing baseline distributions allows us to predict the likeliness and financial magnitude of a loss at companies that are similar to yours. After completing these calculations for your peer group, we further refine the output using data on your company’s individual performance and exposure based on the independently verified and trusted data that powers our rating. We combine this data with optional self-attestation provided during the FQ setup, allowing us to refine our baseline distributions based on your internal controls and provide a more precise forecast of your loss exposure.
Risk Vectors
We include grades from the following risk vectors in our model:
- Compromised Systems
- Botnet Infections
- Malware Servers
- Unsolicited Communications
- Potentially Exploited
- Diligence
- TLS/SSL Certificates
- TLS/SSL Configurations
- Open Ports
- Patching Cadence
- Insecure Systems
- Mobile Software
- User Behavior
- File Sharing
- Public Disclosures
- Security Incidents
Security Controls
During setup, you can choose to attest to your use of key controls that are linked to internal processes or may not be measured by the risk vectors included in FQ. We use the Center for Internet Security (CIS) Critical Security Controls v7.1 because they map to many other control frameworks.
The following CIS Controls may be selected to help fine-tune the Financial Quantification:
- CIS Control 1: Inventory and Control of Enterprise Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Data Protection
- CIS Control 4: Secure Configuration of Enterprise Assets and Software
- CIS Control 5: Account Management
- CIS Control 6: Access Control Management
- CIS Control 7: Continuous Vulnerability Management
- CIS Control 8: Audit Log Management
- CIS Control 9: Email and Web Browser Protections
- CIS Control 10: Malware Defenses
- CIS Control 11: Data Recovery
- CIS Control 12: Network Infrastructure Management
- CIS Control 13: Network Monitoring and Defense
- CIS Control 15: Service Provider Management
- CIS Control 16: Application Software Security
- CIS Control 18: Penetration Testing
Leveraging Assessed Risk Vectors and Controls
We use a performance and exposure model which compares an individual organization’s score or effectiveness in each risk vector and control against the peers and general population to understand how much better or worse their performance in these key areas is than those peers. This is important because our goal is to adjust, through simulation, a company’s outcomes from the baseline. The difference between a company’s performance and this baseline matters more than its absolute score or grade.For example, an A grade in a certain risk vector is more influential if most of the company’s peers have a C, and vice versa.
What Influences Single Loss Exposure Magnitude vs Frequency?
Some controls and risk vectors have a larger influence on the likelihood of a loss occurring while some controls and risk vectors influence the magnitude of a loss should it occur. For example, Patching Cadence is much more indicative of the likelihood of certain types of loss occurring, but has little to do with the magnitude of the loss should it occur. Controls around incident response are much more effective at reducing the magnitude of a loss should it occur, but do little to directly reduce the likelihood of an event.
Monte Carlo Simulation
We perform Monte Carlo simulations to combine the baseline loss distributions and performance data. This process simulates 100,000 hypothetical years. These simulations allow us to model the inherent uncertainties in cyber risk, but also leverage the objective and verified historical data and measured performance and exposure. The results of these simulations are analyzed to produce the results shown.
Deliver Company Financial Quantification Results
Because the results are based on the analysis of simulation results consisting of 100,000 hypothetical years of data we can accurately forecast the probability of certain outcomes with a meaningful level of precision. We present these results in several ways which align well to common use cases.
- January 16, 2024: Major updates to Bitsight's FQ model.
- October 17, 2022: Published.
Feedback
0 comments
Please sign in to leave a comment.