In this article:
This topic describes the process of creating formulas and estimatingvalues to quantify impact.
- Project Lead (or Facilitator, as appropriate)
- Core Workshop Participants
- Subject Matter Experts
These activities are performed during the initial Cyber Risk Quantification workshop(s) or between workshops on an ongoing basis.
Quantifying impacts is where specific impacts in financial terms are estimated and calculated. Formulas with estimated values are created or modified to measure impacts that could result from the event. The result is a quantified scenario when all assumptions and estimates have been added to the applicable impacts.
Impacts are grouped into four Quadrants, which are closely aligned to coverages by different types of insurance policies:
|Financial||Expenses and losses the organization incurs directly from an event. (Coverage: Cyber, Kidnap and Ransom, Crime)||Financial impact from an event that a third party suffers and seeks to recover from the organization, the organization’s associated costs meeting those third-party demands, and costs incurred by third parties in pursuing a successful demand. (Coverage: Cyber Liability, Directors and Officers, Errors and Omissions, Fiduciary Liability)|
|Tangible||Property damage experienced by the organization and/or bodily injury to the organization’s employees from an event. (Coverage: Property, Casualty, Terrorism)||Property damage and bodily injuries to others resulting from the event for which the organization is liable. (Coverage: Casualty, Umbrella, Products Liability, Public Liability)|
The impacts in the Axio Quadrants are listed and defined in the Quadrant Help Texts Reference.
Impacts from the Axio Quadrants are also grouped on the Axio360 Platform by Impact Classes. Selecting or deselecting Impact Classes as desired will change the impacts presented for quantification. This makes it possible to limit the impacts shown to those the scenario might involve.
Review Impact Classes for each scenario to be quantified and select or deselect those as desired.
All Impact Classes are selected by default. Keeping all Impact Classes available for the initial quantification pass is recommended. As participants work through the impacts, Impact Classes that are not relevant can be deselected. In this manner, consideration can be given to all impacts before deciding which to remove.
Hiding an Impact Class does not remove any expenses quantified in that Impact Class. They will still affect results.
Quantify the scenario’s impacts by creating or modifying Formulas and assigning Estimated Values.
Working through the impacts presented, quantify the impact of the scenario by
- assigning a range of financial values, including minimum, maximum, and expected value
- using or modifying the Axio360 suggested default formula and adding Estimated Values
- creating a custom formula and adding Estimated Values
See Estimated Values and Formulas below for more guidance.
Assigning values to the variables in a quantification formula is how an organization can quantify the impact of a scenario that reflects its unique operating conditions and constraints. In the Axio CRQ Method: these values are called Estimated Values.
It is unlikely that workshop participants will have precise values for potential impacts, mainly if those impacts have never occurred. Thus, one way that the Axio CRQ Method accounts for this is to allow organizations to express the Estimated Value in a range. An Estimated Value range contains three values: a Minimum Value, a Maximum Value, and an Expected Value falling within that range.
The Expected Value is the value participants believe to be the most representative Estimated Value. This range should be estimated within 90% confidence, meaning the true value falls within this range 90% of the time. (Note that the Expected Value is not necessarily the median of the range or an average of the Minimum and Maximum Values.)
When participants face values that are difficult to estimate, making the range wider is usually the answer. For example,
- A scenario needs an estimate for the “outsourced legal advice” impact; the participants are very uncertain. One way to estimate this is to ask what is the smallest amount of time (minimum value) and the maximum amount of time (maximum value) that would be billed in a legal consultation. Further refinement of the range may require the input of a subject matter expert.
- The legal department’s representative knows that the largest amount of time billed previously was 50 hours and that they have never seen a bill under 4 hours. This may be a good starting point for estimated values to use as the minimum (4 hours) and maximum (50 hours). After a discussion about the large bill, there is consensus that if this scenario occurred, the maximum time could be exceeded by as much as 20 hours. However, participants have high confidence that the most likely value is around the 40-hour mark. Using these values, the legal consultation time would be expressed as a distributed range of 4 to 70 hours, with an expected value of 40 hours.
The width of the range (4 hours to 70 hours) above is a measurement of how uncertain the participants are about the value. It might be useful to follow up with additional subject matter experts to gather data that can reduce the width of the range and make the estimate more precise. In general, it is better to capture the genuine uncertainty to 90% confidence than to attempt a higher level of precision. There are many techniques to calibrate specific estimations and the estimators themselves.
While impacts can be estimated directly using a 90% confidence range, basic math formulas can also be used to calculate the financial cost of impacts. Formulas contain variables that break down an impact into more easily estimated or measured components. Using Formulas to decompose an impact can be an effective way to reduce uncertainty in estimation.
Because the variables in a Formula are more specific, assigning Estimated Values may be easier and more precise. For example, the “cost of forensics” impact can be calculated by creating a formula that multiplies the number of forensic resources hired to help, the amount of the time they work, and their hourly rate, as follows:
Number of Forensic Staff * Number of Hours Worked * Hourly Rate = Forensic Expense
While this method allows for more precision, it is possible that a specific variable is not easily assigned an Estimated Value. For example, there may be no experience on which to define an Estimated Value for the “number of forensic staff” variable. In this case, the Estimated Value in a variable can also be expressed as a range if necessary. Using ranges in a variable also captures the level of uncertainty in the estimate and allows the Axio360 Platform’s statistical engine to simulate a range of results for a quantified risk. As with using all ranges in the Axio Method, the goal is to create a range where the experts are 90% certain that the actual value will fall between the minimum and maximum.
When using Formulas to quantify different impacts, it is beneficial to use Estimated Values consistently. Common Estimated Values that will be used to quantify multiple impacts can simplify the process and ensure method integrity. For example, in a data breach scenario, the “number of identities or records breached” might be used multiple times to calculate notification costs, legal settlement expenses, and call center time. Similarly, the “number of impacted servers and endpoints.” can drive forensics, incident response, and restoration times. If the Expected Values used to quantify these impacts need to be more consistent. The ability to compare quantification results across multiple scenarios with the same Expected Values will be impaired.