In this article:
This topic describes how to prioritize notional scenarios for elaboration and possible quantification.
- Project Lead (or Facilitator, as appropriate)
- Core Workshop Participants
- Subject Matter Experts
These activities are performed during the initial Cyber Risk Quantification workshop(s) or between workshops on an ongoing basis.
After brainstorming, there may be many notional scenarios to contemplate. Using a prioritization method to focus on the most relevant scenarios to the organization will speed the quantification time and focus resources on where they can best be used.
There are many ways to prioritize notional scenarios. Some examples include using a multi-voting process performed by the participants of a workshop, which evaluates scenarios based on
- relative susceptibility and qualitative impact on the organization
- alignment to current risks captured by enterprise risk
- requests of executive leadership
- the degree to which they represent risk for each function and threat objective
- other organizational concerns
A forced-ranking process can also be used to prioritize notional scenarios. The forced-ranking process is typically a Facilitator-led activity to categorize notional scenarios first by susceptibility and then by impact in the Axio360 Platform Risk Heat Map. Notional scenarios with the highest level of susceptibility and impact are then prioritized for quantification.
Select a prioritization method that aligns with the participants involved in the process and the organization’s culture. Remember that the output of this process is to create a viable list of notional scenarios to move forward into the elaboration process.
Using the selected prioritization method, work with workshop participants to choose a few scenarios that should be fully elaborated and quantified. Assign a relative susceptibility to each scenario that has been prioritized if it has not already been assigned.
When prioritizing scenarios, it is imperative to understand how the Axio Method uses the concept of susceptibility in risk quantification.
A notional scenario is characterized by estimating the degree to which the scenario is likely to be realized. Higher potential indicates that a scenario is likely more certain than others and may require immediate attention. Lower potential may suggest a risk is possible but not probable and is low relative to other scenarios. In classic risk management theory, this potential is often characterized as a probability or a likelihood.
Probabilities are typically based on historical data for similar events or risks that have occurred in the past. This historical data helps risk managers establish confidence in their prediction that the risk will be realized. Probability estimation modifies the risk condition plus consequence statement and alters risk mitigation priorities. For example, an organization may prioritize investments in high-probability risks because it is assumed they are more likely to occur, resulting in higher certainty that the consequences of the risk will be realized.
Using probability in the classic sense is more challenging in cyber risk management. Historical data on cyber events is not available or reliable, and many cyber risk scenarios remain undefined or unknown until they occur. Even for well-established cyber events (such as ransomware attacks), the probability such an attack will happen to a specific organization is not easily established. Thus, establishing probability with functional precision may not be possible for cyber risks, and therefore, has limited usefulness in considering a cyber risk scenario.
In cyber risk management, an organization’s susceptibility to a particular condition or risk is more beneficial for cyber risk quantification. Susceptibility defines the degree to which an organization believes a cyber risk scenario could be successfully executed and lead to the realization of consequences (tangible first- and third-party financial and physical impacts). That judgment is based on experience, current operating conditions, exposure to known vulnerabilities, or knowledge of the effectiveness of cybersecurity controls. A higher susceptibility rating does not indicate that a scenario is more likely to occur. Instead, it establishes that the organization is more susceptible to a particular scenario than other identified scenarios.
Defining susceptibility does not rely on a precise prediction of probability; instead, it allows an organization to express its potential success of a cyber risk scenario in qualitative terms from very low to very high. While this is not as definitive as stating the likelihood as a specific percentage based on historical data (such as there is a 44.5% chance of a hurricane in Florida in the third week of September), it is beneficial in the process of converting impact into quantitative terms because it directly affects the prioritization of notional scenarios. Similar to the result of using probability, susceptibility ratings alter the priority of a notional scenario and ensure that scenarios that may be more successfully executed are given more attention to cyber risk quantification.