R&D

DICYME Cyber Risk Calculator

Cyber Risk Quantification

Cyber Risk Quantification (CRQ) is the process of assessing and calculating the potential financial impact of cyber threats on an organization. It translates cybersecurity risks into business-relevant terms, allowing organizations to understand the monetary value of their risk exposure. In other words, Cyber Risk Quantification (CRQ) calculates risk exposure and its potential financial impact on an organization in business-relevant terms, providing a way for organizations to drive alignment between security strategy and business objectives.

DICYME stands for Dynamic Industrial Cyberrisk Modeling based on Evidence. It is an R&D project aimed at developing software that dynamically measures or estimates the probability and impact of potential incidents using evidence from various data sources. Once these measurements enable cyber risk modeling, the results are presented in a clear, up-to-date, and comprehensive visualization, supporting informed decision-making. As part of DICYME, several indicators have been designed and developed, using data from inside and outside organizations to create high-quality signals of cyber risk.

FAIR Framework

The FAIR Model (Factor Analysis of Information Risk) is a quantitative risk analysis framework that helps organizations assess and quantify cyber risks in monetary terms. By analyzing specific risk scenarios, the FAIR model estimates potential loss exposure, enabling businesses to understand where they are most vulnerable to cyberattacks. Recognized as an international standard, FAIR helps organizations make informed decisions about risk management and mitigation strategies.

The FAIR methodology quantifies cybersecurity risk by breaking it down into individual factors using statistical analysis and probabilities. It assesses risk through carefully scoped scenarios by evaluating the probable frequency of loss events (Loss Event Frequency) and the potential impact of those losses (Loss Magnitude). By combining these components, FAIR provides a comprehensive and quantitative understanding of risk in monetary terms, enabling organizations to make informed, data-driven security decisions. To quantify risk, FAIR divides it into two main components: Loss Event Frequency (LEF) and Loss Magnitude (LM).

  • Loss Event Frequency (LEF): The probable frequency, within a given timeframe, that the threat agent will inflict harm upon as asset.

    • Threat Event Frequency: The probable frequency, within a given timeframe, that a threat agent will act against an asset (attempts)

    • Vulnerability: The probability that a threat event will become a loss event. Also known as “Susceptibility”

  • Loss Magnitude (LM): The probable magnitude of loss resulting from a loss event.

    • Primary Loss: Primary losses are incurred as a direct result of the loss event itself, or from the primary stakeholder’s reactions to the event.

    • Secondary Loss: Secondary losses are incurred when secondary stakeholders (outside parties) react to the loss event, causing further loss to the primary stakeholder.

dicyme_fair

DICYME Approach

The DICYME team will propose a robust, easy-to-understand framework for quantifying cyber risk in financial terms. This framework will integrate all the data and indicators outlined in the project, combining dynamic data with expert insights, as some information may not be publicly available.

The DICYME framework uses some of the elements of the FAIR taxonomy, adapted to estimate the cyber risk an organization faces in a year. It also uses Monte Carlo simulation to calculate the annual expected loss. It has a loss event frequency module that uses the attractiveness index, the threat actor index, and the mapping between vulnerabilities and MITRE techniques. It also has a loss magnitude module that considers cascading relationships between primary and secondary losses.

dicyme_crq