Cyberrisk quantification (CRQ) expresses cybersecurity risk in terms of monetary value to the enterprise. A new white paper from ISACA, Cyberrisk Quantification, addresses the importance of acquiring useful data and amplifying it as part of a CRQ analysis.
“CRQ translates technology concerns into business concerns,” according to the white paper. “Connecting technology and business objectives is critical to ensuring that enterprises understand how technology affects their goals and objectives. CRQ methods necessarily consider the business impact of cyberincidents.”
Cybersecurity measurement can be challenging, though, because of the difficulty of gathering accurate data. The white paper indicates that there are three sources for gathering data: external sources, internal sources and the opinions of subject matter experts. Combining internal and external data provides enterprises with a clearer picture of the overarching threat landscape.
CRQ can be a critical enabler of improving organizations’ approach to cyber risk. The white paper notes that “Referring scenarios that describe illicit data disclosure, fraud and business interruption back to applications and systems that can trigger them—and identifying controls that detect or prevent failures, and/or facilitate recovery—all help enterprises acquire end-to-end visibility into their risk posture.”
Download the free white paper here.