The document discusses how data can be used to improve risk assessment accuracy by mapping data to risk events. It provides examples of qualitative risk assessment terminology and scales used to rate likelihood, impact, vulnerability, and risk. It then walks through an example risk scenario of customer database theft and shows how collecting additional data on past incidents, threat actors, vulnerabilities can provide a more factual basis to estimate likelihood and improve the risk assessment. The benefits of a data-driven approach include more accurate assessments, automatic tuning of the risk register, improved resource allocation, and better executive reporting.

1. Data Driven Risk
Assessment

3. Hello!
I am Joe Crampton
VP Product at Resolver
@JoeCrampton
joe@resolver.com

4. Session Objective
Understand how data can be mapped to risk events to
drive improved assessment accuracy.
Why does this matter?
Every organization faces more risks than they have budget to
address. How do you choose which ones? Have you done
enough?

5. A Quick Review of Qualitative
Risk Assessment

6. Risk Assessment Terminology
Frequency / Likelihood
The probability of a risk event occurring.
Impact
The magnitude of risk event on your organization should it occur.
Control
Any action that reduces the impact and/or likelihood of the risk.
Risk
An event that may impact your objectives or critical assets.
Vulnerability / Control Effectiveness
How well prepared are we for this risk?

7. Qualitative Risk Assessment

8. Illustrative Impact Scale
RATING DEFINI TI ON
E X T R E M E
• Financial loss of $X million or more
• International long-term negative media coverage; game-changing loss of market share
• Significant prosecution and fines, litigation including class actions, incarceration of leadership
• Significant injuries or fatalities to employees or third parties, such as customers or vendors
• Multiple senior leaders leave
M A J O R • …
M O D E R A T E • …
M I N O R • …
I N C I D E N T A L
• Financial loss up to $X
• Local media attention quickly remedied
• Not reportable to regulator
• No injuries to employees or third parties, such as customers or vendors
• Isolated staff dissatisfaction
Source: Coso.org

9. IRAM 2 Example Impact Rating Scale

10. Illustrative Frequency Scale
RATING
ANNUAL
FREQUENCY
PROBABILITY IN LIFE
OF ASSET OR PROJECT
F R E Q U E N T Up to once in 2 years or more > 90%
L I K E L Y Once in 2 years up to once in 25 years 65%-90%
P O S S I B L E Once in 25 years up to once in 50 years 35%-65%
U N L I K E L Y Once in 50 years up to once in 100 years 10%-35%
R A R E Once in 100 years or less <10%
Source: Coso.org

11. Illustrative Vulnerability Scale
RATING DEFINI TI O N
V E R Y H I G H
• No scenario planning performed
• Lack of enterprise level/process level capabilities to address risks
• Responses not implemented
• No contingency or crisis management plans in place
H I G H • …
M E D I U M • …
L O W • …
V E R Y L O W
• Real options deployed to maximize strategic flexibility
• High enterprise level/process level capabilities to address risks
• Redundant response mechanisms in place and regularly tested for critical risks
• Contingency and crisis management plans in place and rehearsed regularly
Source: Coso.org

12. An example scenario

13. Asset Theft Customer Information Database
Asset:
A database of 500,000 customer
records that is stored on a
commercially developed
application on a on-premise
server.
Risk:
The access to and removal of the
customer data through either
physical or virtual means.

14. Qualitative Risk
Assessment

15. Zooming into the Risk
Asset Theft: Customer Database
Risk
Loss Event
Frequency
Loss
Magnitude
Asset Description:
A database of 500,000 customer records
that is stored on an internally developed
application on a on-premise server.
Event Description:
The access to and removal of the
customer data through either physical or
virtual means.
Threat Event
Frequency
Vulnerability
Contact
Frequency
Probability of
action
Difficulty
Threat
Capability
Primary
Loss
Secondary
Loss
2nd Loss
Event Freq
2nd Loss
Event Mag

16. Loss Event Frequency
Asset Theft: Customer Database
Risk
Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Vulnerability
Contact
Frequency
Probability of
action
Difficulty
Threat
Capability
Primary
Loss
Secondary
Loss
2nd Loss
Event Freq
2nd Loss
Event Mag
Asset Description:
A database of 500,000 customer records
that is stored on an internally developed
application on a on-premise server.
Event Description:
The access to and removal of the
customer data through either physical or
virtual means.

17. Loss Event Frequency
Asset Theft: Customer Database
• Has this ever happened to us before? (How many times, over what time period)
• Has this almost happened before?
• How often has this happened in our community? (industry, region, supply chain, peers)

18. Incident Database
2 EVENTS IN THE LAST 3 YEARS
1. An employee downloaded their
contacts and emailed them to their
private email address right before
submitting their resignation
2. An employees computer was
compromised with malware that
included a keylogger. It is
speculated that their customer db
login details were stolen
INC
INC
INC
INC
Risk

19. Core Demo
with Incidents Tied to Risks

20. If we have this data
we can estimate it directly.
If not, we need to go deeper.

21. Threat Event Frequency
Asset Theft: Customer Database
Risk
Loss Event
Frequency
Loss
Magnitude
Threat Event
Frequency
Vulnerability
Contact
Frequency
Probability of
action
Difficulty
Threat
Capability
Primary
Loss
Secondary
Loss
2nd Loss
Event Freq
2nd Loss
Event Mag
Source: The Fair Methodology
Asset Description:
A database of 500,000 customer records
that is stored on an internally developed
application on a on-premise server.
Event Description:
The access to and removal of the
customer data through either physical or
virtual means.

22. Threat vs. Loss

23. Threat vs Loss
THREAT LOSS

24. Threat vs Loss
THREAT LOSS

25. Threat vs Loss
THREAT LOSS

26. Threat vs Loss
THREAT LOSS

27. Threat Event Frequency
Asset Theft: Customer Database
• What threats have the potential of triggering this loss event?
• What is the threat community? (Who or what can perpetrate this threat)?
• How likely is that actor to act? (Probability of Action)

28. Threat Events
Asset Theft: Customer Database
Threat Community Contact Type Probability of Action
Privileged Insiders
Insiders who have and need access to the system
Regular Very Low
Non Privileged Insiders
Insiders who have access but don’t need access
Intentional Low
Cyber Criminals
Outsiders who would need to break in to get it
Intentional Certain
Application Vendor
Outsiders that may have access to the application
Regular Low
Office Visitors
Outsiders that are physically inside the organization
Regular Low

29. Threat Events
Asset Theft: Customer Database
Threat Community Contact Type Probability of Action
Privileged Insiders
Insiders who have and need access to the system
Regular Low
Non Privileged Insiders
Insiders who have access but don’t need access
Intentional Low
Cyber Criminals
Outsiders who would need to break in to get it
Intentional 100%
Application Vendor
Outsiders that may have access to the application
Regular Low
Office Visitors
Outsiders that are physically inside the organization
Regular Low

30. Threat Events - Non Privileged Insiders
Insiders who have access but don’t need access.
▪ How big is this Threat Community?
▪ What % of the community is likely to abuse that access?
▪ How vulnerable are we to this threat?
▪ How do we get data to answer these questions?

31. Core Demo
with RightCrowd IQ

32. RightCrowd IQ
https://reporiademo2server.azurewebsites.net/#/metricHistory?dashboardKey=7b06cac6-3e08-4070-a2f2-e7f43b113fe9&uniqueId=21cae8ac-eee8-4272-8a91-
00c64e367165&metricHistoryKey=788886274

33. RightCrowd IQ
https://reporiademo2server.azurewebsites.net/#/metricHistory?dashboardKey=0edb2e9b-c6c6-408c-8ba8-388120d4f78b&uniqueId=9a2cfb2e-bfbf-4a95-a89e-
e279968812c2&metricHistoryKey=788903301

34. Threat Events
Asset Theft: Customer Database
Threat Community Contact Type Probability of Action
Privileged Insiders
Insiders who have and need access to the system
Regular Low
Non Privileged Insiders
Insiders who have access but don’t need access
Intentional Low
Cyber Criminals
Outsiders who would need to break in to get it
Intentional 100%
Application Vendor
Outsiders that may have access to the application
Regular Low
Office Visitors
Outsiders that are physically inside the organization
Regular Low

35. Threat Events - Office Visitors
Outsiders that are physically inside the organization.
▪ How big is this Threat Community?
▪ What % of the community is likely to abuse that access?
▪ How vulnerable are we to this threat?
▪ How do we get data to answer these questions?

36. Vendor Assessments

37. Threat Events
Asset Theft: Customer Database
Threat Community Contact Type Probability of Action
Privileged Insiders
Insiders who have and need access to the application
Regular Low
Non Privileged Insiders
Insiders who have access but don’t need access
Intentional Low
Cyber Criminals
Outsiders who would need to break in to get it
Intentional 100%
Application Vendor
Outsiders that may have access to the application
Regular Low
Office Visitors, Maintenance
Outsiders that are physically inside the organization
Regular Low

38. Threat Events - Application Vendor
Outsiders that may have access to the application
▪ How big is this Threat Community?
▪ What % of the community is likely to abuse that access?
▪ How vulnerable are we to this threat?
▪ How do we get data to answer these questions?

39. Site Risk Assessment

40. Repeat our
Qualitative Risk
Assessment with Better
Data

41. Benefits of Data Driven
Risk Assessment
ASSESSMENTS ARE
BASED ON FACTS
• Improved risk
assessment accuracy.
• Factual justification for
assessment.
AUTO TUNING RISK
REGISTER
• Identify emerging risks
• Confirm / Disprove
existing risks
IMPROVED RESOURCE
ALLOCATION
• Align resources where
the data says they will
make the most
difference
EXECUTIVE
REPORTING
• Effective reporting
requires incidents to
be expressed in
relation to their Impact

42. Thanks!
Any questions?
@JoeCrampton
joe@resolver.com