Why use the FAIR Model to quantify Cyber Risk for 3rd parties?

Historically, questionnaires and or risk scoring have been the traditional tools used to evaluate the risk a 3rd party poses to an organisation. The Findings from questionnaires and risk scoring are often incredibly technical and complicated and are generally presented in heatmap style – red, orange, yellow, green – accompanied by a score and or letter grade, which aren’t very useful in quantifying Risk to the business.

To understand what the FAIR Model has to offer, let us first look at what we need to articulate to the Board or C-Level. In simplistic terms let’s begin by considering what Risk a 3rd Party could pose to an organisation if they were to share 2,000 data records with them. The Board or C-Level wants to know in financial terms what the cost to business will be if the 3rd Party is breached and these 2,000 data records are lost.

Let’s assume that a 3rd Party has been classified as Critical by the organisation’s vendor classification programme since the organisation’s data is being shared with the 3rd Party and that the organisation sharing the data is a Services Company based in the United Kingdom.

Using the traditional method of cyber risk assessment, if one was to ask the third party to complete a questionnaire and a technical evaluation was to be performed, then the overall results could be presented using a heatmap. Let’s assume that the results are yellow, with a C letter grade and a score of 74%, which meets with an organisation’s traditionally defined Risk Appetite. While not negating the usefulness of this information, how does this enable us to articulate what Risk this 3rd Party represents to the organisation and explain this to the Board or C-Level? Furthermore, how would the organisation mitigate against this Risk by say taking out Insurance?

The IBM Security Cost of a Data Breach 2019 report (conducted by the Ponemon Institute) advises that the historical “cost per lost record” for an organisation in the Services Industry in the United Kingdom is £120 ($155).

If an organisation were to share 2,000 data records with the 3rd Party and all 2,000 were lost in a breach, then the total cost to the organisation using the above report data would be £240,000. In the FAIR Model this total cost of £240,000 is defined as the Loss Magnitude (LM). An organisation could mitigate the Risk by purchasing an insurance premium to cover the Risk of £240,000.  However, the cost of Insurance would quickly mount up as the number of 3rd Parties increases, and this option would quickly become uneconomical.

The key factor missing from the above cost analysis, which would surely be asked by any savvy Board Member or C-Level Exec, is: “How likely is a breach event going to be?”  Or phrased slightly differently: “How many times over the next year is the loss event likely to occur?” In the FAIR Model this is defined as the Loss Event Frequency (LEF). Assuming a LEF of 0.101 has been calculated (a breach occurring once every 9.9 years) then the total Risk (Annualised) is now LM x LEF = £240,000 x 0.101 = £24,240. We now have a meaningful measure of Risk we can present to the Board and C-level. In addition, we can reduce the Risk by requesting that the 3rd Party make certain technical improvement while at the same time Insuring against the eventuality or Residual Risk.

Putting the above to practical use: if an organisation had to evaluate 5 Vendors for a Project that involved the sharing of 2,000 data records, in addition to considering the price each vendors offers for the project, the cost to insure against the Cyber Risk each Vendor imposes could be added to each of the contract prices. Insurers usually use a percentage of the Risk to calculate the premium. In the above case if the Insurance Underwriter were to charge 10% of the Risk this would mean an annual policy cost of £2,424 for this particular 3rd Party, which could be added to his bid price for evaluation. This example clearly demonstrates the usefulness of FAIR to quantify 3rd Party Cyber Risk.

While I glossed over the calculation of the Loss Event Frequency above, there are automated tools that are able to perform a FAIR Model evaluation and calculate for 3rd Party Risk. For the sake of simplicity and introduction to the FAIR Model I chose not to go into detail on the calculation of LEF. I have left the detail for future blog articles.

For more information on Using the FAIR Model to quantify 3rd Party Cyber Risk contact the Elasticito team.