In contrast to our peers (while not trying to be negative), our approach is:
- Driven by specific threats: rather than a broad based approach to technology risk, we are focused on specific technology related threats that may impact a business. Our current focus is on 3 threats: data loss, malware / ransomware and Business Email Compromise (BEC).
- Quantitative for inherent risk and impact, in dollars and cents. The magnitude of an event - its inherent risk - is estimated in dollars.
- Quantitative for control effectiveness: the models we develop for each threat will identify an exhaustive set of controls along with effectiveness levels vetted by a group of subject matter experts. The models and effectiveness ratings, while not perfect, are based on the inputs of subject matter experts and vetted by their peers. To our knowledge, this is the first example of controls married to specific effectiveness ratings in the industry.
- Exhaustive in terms of controls: all controls that might mitigate a risk are included in an assessment and given effectiveness ratings. We are not limited to a curated list of controls.
- Consensus driven to determine control effectiveness: the working group will assign effectiveness ratings for controls as a proposed baseline based on their real world experience.
- Relatively linear: when determining control effectiveness, our approach assumes a control is working as intended. We are not yet considering control atrophy, where controls weaken over time due to neglect, etc. Over time we will include more variables as the field matures. One of our colleagues is an expert in this field, including stochastic modeling.