In this article:
Control Initiatives (CI)
This topic describes the process of establishing a set of Control Initiatives (CI) to use in quantification and to assign those Control Initiatives to quantified scenarios.
When changing numbers in the control initiatives data, refresh the browser page to see the changes reflected in the CI graphs.
To correctly show control initiative data in board reports, provide different numbers for the initial and annual cost estimates, with the yearly cost preferably smaller as the initiatives kick in.
Participants
- Project Lead (or Facilitator, as necessary)
- Core Workshop Participants
- Subject Matter Experts
Timeframe
CI activities are performed during specific workshops or between CI workshops on an ongoing basis.
Background
Cyber risk quantification is a method to simulate potential financial consequences and damages that could be incurred if a scenario is realized. Understanding these outcomes allows one to consider proactive actions that can reduce scenario exposure, limit consequences, or both. These actions (defined as Control Initiatives in the Axio CRQ Method) are potential investments to mitigate cyber risk and exposure. The effects of these investments can then be simulated to determine the degree to which they efficiently counter the potential impact of a scenario. And, where more than one investment is proposed, simulation informs the priority for considering these investments. This way, the Axio CRQ Method aligns the organization’s cybersecurity and business investments with risk scenarios in the most efficient and effective balance.
Control Initiatives
In the Axio CRQ Method, a Control Initiative is one or more administrative, technical, or physical control improvements or risk mitigation actions that could be implemented to reduce susceptibility to or mitigate the impact of an identified cyber risk. Control Initiatives can represent a range of activities, including:
- Remediation of control deficiencies identified during the scenario brainstorming and elaboration process that need to be addressed to prevent or minimize the consequence of the scenario (for example, failure to regularly back up critical data that could be encrypted in a ransomware attack).
- Remediation of practice deficiencies identified in compliance, risk, or security assessments that require improvement to reduce the risk of scenario exposure (for example, poor control over assigning network access to third parties).
- Remediation of known operational deficiencies, such as a failure to patch vulnerabilities promptly or the lack of timely upgrading or sunsetting crucial technologies.
- Cybersecurity and information technology projects and roadmaps that define proposed future investments may significantly affect scenario exposure, positively or negatively.
- Current or proposed regulatory or statutory changes that could affect scenario risks. These could include new data privacy and confidentiality regulations that must be met, affecting scenarios involving regulated data.
- Changes to cybersecurity and information technology strategies, programs, and architectures resulting from potential operating conditions and business strategy changes. For example, the introduction of a new product might require significant alterations to an existing application, system, or network.
Using Control Initiatives in Quantification
Determining the value of a cybersecurity or information technology investment can be complex. Traditional financial justification methods, such as calculating an internal rate of return (IRR), can be challenging to apply to assets that prioritize cost avoidance over income or revenue generation. Scenario quantification provides a means to evaluate these investments accordingly so that decision-makers can consider their financial impact.
Simulating the effects of risk mitigation is a goal of the quantification process. Simulation of a scenario’s impact answers several questions. For example, if a particular mitigation action—a Control Initiative—is implemented:
- How much risk and exposure from the scenario is reduced?
- Does the Control Initiative reduce the organization’s susceptibility to the scenario?
- How are consequences and damages diminished, and what costs can be avoided?
- Can the Control Initiative be altered so that the balance of risk reduction and cost avoidance is most efficient?
- Can the Control Initiative be combined with other Control Initiatives to maximize risk reduction and cost avoidance?
- Can a range of scenarios benefit from implementing a single Control Initiative?
In general, Control Initiatives in the Axio CRQ Method provide a way to establish a “future state” of the scenario to analyze how risk, exposure, and consequences might quantitively change. Control Initiatives accomplish this by modifying susceptibility to a scenario and/or by altering specific Estimated Values. Note that a single Control Initiatives, such as implementing a privileged account management system can affect each scenario differently, so their effect will be scenario-dependent. A single scenario can be affected by one or more Control Initiatives in combination as required.
To simulate the effects of Control Initiatives, two primary scenario elements are analyzed in context: the susceptibility of the organization to the scenario and/or the Estimated Values used in quantifying impact.
Altering Susceptibility Due to Control Initiatives
A Control Initiative can significantly alter the Elements of Cyber Risk is reflected in a scenario. For example, a Control Initiative may reduce or eliminate a vulnerability or exposure, thus reducing the potential for impact and consequences. Alternately, a Control Initiative may eliminate an actor’s window of opportunity by requiring critical vulnerabilities to be patched within 12 hours of notification. If a Control Initiative changes an element of cyber risk, the organization’s susceptibility to such risk is altered as well. Therefore, it is a good practice to analyze how the proposed Control Initiative could change each element of cyber risk and what happens to impact as a result.
Changes to Estimated Values Due to Control Initiatives
A Control Initiative can also cause changes in the Estimated Values that are used in quantification Formulas. For example, a Control Initiative that improves the incident response process (such as by performing more frequent incident response exercises) may reduce the “number of hours worked by forensic staff,” thereby reducing the overall potential cost of a ransomware attack response. Thus, as with susceptibility, the potential effect of a Control Initiative on Estimated Values should be analyzed to determine the result of the conditions of risk, such as reducing a vulnerability or exposure, and the degree to which the potential consequences of the scenario are diminished.
Activities
Establish a set of Control Initiatives to use in quantification
Remember that the list of Control Initiatives may represent various activities as noted above, so be sure to consider this list when establishing a set of Control Initiatives to be used in this activity. Additionally, keep in mind that these Control Initiatives may be used for more than one scenario, so include those initiatives that most efficiently demonstrate the ability to maximize risk reduction with minimal investment.
When establishing Control Initiatives, document the known or estimated the initial cost of the initiative, as well as the annual costs as appropriate. Be as precise as possible since these costs will help to determine if the amount of risk reduction is significant enough to warrant investment.
Control Initiatives can be created and documented in the Initiatives tab of a scenario. Once a Control Initiative is created, it can be applied to all scenarios.
Before you proceed with this activity, be sure that impact estimates are complete for a scenario since Control Initiatives will alter this baseline estimate.
Assign Control Initiatives to quantified scenarios
In this activity, established Control Initiatives are assigned to scenarios as appropriate. Discussion may be necessary to decide which Control Initiatives are suitable for each scenario. During this discussion, additional Control Initiatives need to be defined and added to the collection. Be sure to view all scenarios to determine if a Control Initiative applies to multiple scenarios. This is an opportunity to justify Control Initiative investment because it maximizes risk reduction. Two primary steps comprise this activity. Select a Control Initiative and then:
- Change the Susceptibility rating as appropriate. Consider the effect of the Control Initiative on the organization’s susceptibility to the scenario. In most cases, if the Control Initiative is purposeful, it should result in maintaining or lowering the Susceptibility.
- Consider changes to Estimated Values. Select the Estimated Values that may be affected by the Control Initiative and change as appropriate. All Estimated Values used in the scenario are available to change.
Simulate the impact of Control Initiatives on risk mitigation
In the Axio360 Platform, this activity is performed in the Scenario Dashboard. In the dashboard:
- Select a scenario for simulation.
- Examine the Simulated Costs widget that represents the Monte Carlo simulation for the scenario. This displays the base case for impact estimation.
- Go to the “gear” icon and select a Control Initiative to model.
- Review the updates to the Simulated Costs as a result of applying the Control Initiative.
View the collective effects of a Control Initiative (or Initiatives) on a scenario
In the Axio360 Platform, this activity is performed in the Scenario Collection Dashboard. In the Scenario Map widget, the baseline scenario is represented by a large circle. (The scenario’s name can be viewed by clicking on the circle.)
Smaller circles extending from the baseline scenario represent changes to the scenario due to modeling one or more Control Initiatives. Note the small circles represent changes to Susceptibility, Estimated Values, or both.
Board Report Definitions
- Calculation of Loss Exposure: These are the min, max, and expected values of the risk histogram for the scenario.
- Planned Number of Security Initiatives: The number of CIs (control initiatives) applicable to the scenario.
- Loss Decrease Due to $ Planned: The difference between the expected Calculation of Loss Exposure and the Calculation of Planned Loss Exposure.
- Planned $ Spent on Security Initiatives [Desired state]: The combined initial and annual costs for the CIs applicable to the scenario (see the Planned number of control initiatives).
- Calculation of Planned Loss Exposure [Desired state]: The min, expected, and max of the scenario with all applicable CIs applied to it (i.e., the aggregate reduction of risk).