This document provides an agenda for a crash course on managing cyber risk using quantitative analysis. It covers concepts like risk, uncertainty, and risk management approaches. It then discusses qualitative, semi-quantitative, and quantitative risk analysis methods. Monte Carlo simulation and PERT distributions are presented as tools for quantitative analysis. Exercises are provided to demonstrate applying these concepts, including estimating the risk associated with unencrypted laptops being lost or stolen.

1. Northeast Ohio Chapter

2. Crash Course:
Managing Cyber Risk Using
Quantitative Analysis

3. Disclaimer:
I am not a lawyer This is not legal advice

4. Cost of cyber crime by 2019 – Juniper Networks

7. $231.94 Billion
Cyber Security Market by 2022

8. Houston,
we DON’T have
an IT

9. Objective

10. Agenda
Part 1 – Case Study
Part 2 – Concepts and Theory
Part 3 – Application of Concepts

11. Part 1 – Case Study:

13. Part 2 – Concepts and Theory

14. Concepts
• Risk & Uncertainty
• Risk Management
• Risk Analysis

15. Risk & Uncertainty

16. COBIT: Risk is generally defined as the combination of the
probability of an event and its consequence.
FAIR: The probable frequency and magnitude of future
loss.
AIE/Hubbard: 1) The probability and magnitude of a loss,
disaster, or other undesirable event.
2) A state of uncertainty where some of the possibilities
involve a loss, catastrophe, or other undesirable
outcome.
Risk

17. Measurement of Risk: A set of possibilities each with
quantified probabilities, and quantified losses. For
example: “we believe there is a 40% chance the
proposed oil well will be dry with a loss of $12 million
in exploratory drilling costs.”
Risk

18. AIE/Hubbard: The lack of complete certainty, that is, the
existence of more than one possibility. The “true”
outcome/state/result/value is not known.
Measurement of Uncertainty: A set of probabilities
assigned to a set of possibilities. For example: “there is
a 60% chance this market will more than double in five
years, a 30% chance it will grow at a slower rate, and a
10% chance the market will shrink in the same period”.
Uncertainty

19. Risk Management

20. FAIR: The combination of personnel, policies,
processes, and technologies that enable an
organization to cost-effectively achieve an acceptable
level of loss exposure.
AIE/Hubbard: Long definition: The identification,
assessment, and prioritization of risks followed by
coordinated and economical application of resources
to minimize, monitor, and control the probability and/or
impact of unfortunate events
Shorter definition: Being smart about taking chances
Risk Management

21. ISO Guide 73:2002: Coordinated activities to direct and
control an organization with regard to risk
ISACA CRISC: The coordinated activities to direct and
control an enterprise with regard to risk.
Risk management is the identification, assessment and
prioritization of risk followed by coordinated and
economical application of resources to minimize,
monitor, and control the probability and/or impact of
adverse events or to maximize the realization of
opportunities.
Risk Management

22. • Avoid
• Mitigate
• Transfer
• Accept
• Progress
• Risk Indicators
• Operating
Environment
Risk Factors
• Threat
• Vulnerabilities
• Impact
• Issues
• Tolerance /
Appetite
Discover Analyze
TreatMonitor
iskManagementProcess

24. Risk Analysis

25. You can’t manage
what you don’t
measure.

26. Why do we measure
(aka analyze) risk?

27. Informing Decisions
● How much risk do we have?
● How much should we invest in security?
● Where should we invest?
● What are we getting for our investment?

28. What if we measured
everything like we
measure cyber risk?

29. How far?
Distance rating: 6

30. How much?
Medium

31. Mental Models Analytical Models
How do we assess risk?

32. Analytical Methods
Source: NIST 800-30r1 – Guide for Conducting Risk Assessments

33. Qualitative Analysis

34. Semi-Quantitative Analysis
Risk Rating: 20.781

35. Quantitative Analysis

38. Math on
Ordinal Scales

40. Quantitative risk analysis:
How do we do it?

41. Risk Analysis Basics
1. Risk Scenarios
2. Risk Models
3. Simulations

42. Risk Scenario
Scenarios are a powerful tool in a risk manager’s armory—
they help professionals ask the right questions and prepare
for the unexpected. Scenario analysis has become a ‘new’
and best practice in enterprise risk management (ERM)
(Source: isaca.org)

43. Example Risk Scenario Statement
Risk scenario statement:
What is the risk associated with PHI being exposed
via a lost/stolen laptop?

45. Essentially, all
models are wrong,
but some are
useful.
- George E. P. Box

46. Risk Models Help Us:
●Decompose complex risk issues.
●Understand correlated relationships between variables/risk
factors.
●Diagnose disagreements/issues.
●Bring credibility to our findings.
●Enable conversations.

49. Simulations
Two primary tools:
a) Probability Distributions (PERT)
b) Monte Carlo Simulation (Stochastic
Modeling)

50. Monte Carlo Simulation
Computerized mathematical technique that
allows people to account for risk in quantitative
analysis and decision making.

51. Pert Distibutions
Form of probability distribution used to model
expert data.

52. Pert Distribution Histogram

53. Open
FAIR

54. What is FAIR?
Factor Analysis of Information Risk
Published by Jack Jones in 2005
Adopted by the Open Group in 2014
● Risk Taxonomy Standard
● Risk Analysis Standard

55. Forms of Loss
● Productivity
● Response
● Replacement
● Fines/Judgement
● Competitive Advantage
● Reputation

56. Loss
Magnitude
Risk
Loss Event
Frequency
The probable frequency and
probable magnitude of loss.

57. Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Risk
Vulnerability
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength

58. Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Risk
Vulnerability
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength

59. Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Risk
Vulnerability
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength

60. Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Risk
Vulnerability
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength

61. Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Risk
Vulnerability
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength

62. Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Risk
Vulnerability
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength

63. Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Risk
Vulnerability
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength

64. Loss Event
Frequency
Loss
Magnitude
Secondary
Loss Factors
Risk
Primary Loss
Factors
Organizational
Loss Factors
External Loss
Factors
Asset Loss
Factors
Threat Loss
Factors

65. Loss Event
Frequency
Loss
Magnitude
Secondary
Loss Factors
Risk
Primary Loss
Factors
Organizational
Loss Factors
External Loss
Factors
Asset Loss
Factors
Threat Loss
Factors

66. Loss Event
Frequency
Loss
Magnitude
Secondary
Loss Factors
Risk
Primary Loss
Factors
Organizational
Loss Factors
External Loss
Factors
Asset Loss
Factors
Threat Loss
Factors

67. Part 3 – Exercises

68. Exercise 1: Guess My Weight

69. Exercise 1: Pert Distribution
Guess my weight
●Min:
●Max:
●Most Likely:
●Confidence:

70. Exercise 2:
Guess My Weight…in Hot Tamales!

71. Hot Tamale vs Plain M&M

72. Exercise 3:
Auditors report lack of laptop
encryption is a “high risk” issue.
Encryption will require a $200-250K
investment.
CFO wants to know if this is worth
the investment.

73. Laptop Theft
Breach
Investigation Class Action
Fine Judgement
50% probability
(once every 2 years)
50% prob.
0 – 100K records
5% prob.
10% prob.
10% prob.
5% prob.
$50K - $4.5M $100K - $20M

74. Primary Loss Event Frequency
Min
(95% CI)
Most
Likely
Max
(95% CI)
LEF 0 1 5

75. Primary Loss Magnitude
Min
(95% CI)
Most
Likely
Max
(95% CI)
Replacement
Costs
$1,200 $1,750 $2,500
Response
Costs
$2,500 $75K $250K

76. Secondary Loss Magnitude
Min
(95% CI)
Most
Likely
Max
(95% CI)
Response
Costs
$100K $250K $8M
Fines /
Judgement
$0 $0 $10M

78. Simulation Output

79. Simulation Output

80. Simulation Output

81. “The significant problems we face
cannot be solved at the same level of
thinking with which we created them.”

82. @appsgarcia
agarcia@healthguardsecurity.com
513.549.4272
Apolonio “Apps” Garcia