Blog Post

Debunking the Misconception That CRQ Requires a Lot of Data Collection

June 19, 2023

Table of Contents

Cyber risk quantification (CRQ) can be an invaluable tool. The ability to put a number to cyber risk aids in communicating with board members, planning strategic investments, calculating the return on investment of cybersecurity spending, and right-sizing cybersecurity insurance coverage.

However, many organizations avoid taking advantage of cyber risk quantifcation (CRQ) due to some common misconceptions. One of the most widespread of these misconceptions is that you need to provide a lot of data to get accurate results from a CRQ model. Read on to find out why this is actually untrue.

Where Does This Common Misconception About CRQ Come From? 

The misconception about data collection partly stems from companies' experience with cyber risk quantification approaches at large consulting firms. The approach to CRQ taken by consulting firms typically requires organizations to provide a lot of data, upon which their risk quantifications get calculated.

For a company without the resources, ability, or desire to collect large volumes of data, CRQ seems off-putting. The other side of the story is that every organization faces a unique cyber risk landscape. The malicious hackers and threats that endanger a company depend on industry, location, size, cybersecurity maturity, and a range of other factors.

When organizations believe that their unique risks can’t get captured and accurately quantified in a model without a lot of internal data collection, they are hesitant to commit to CRQ. Many CISOs might feel that they simply lack sufficient quality historical cyber data to accurately quantify risks.

 

The Reality: Risk Depends on Similarities

While it's important not to overlook the uniqueness of organizations, the reality is that companies also tend to share many similar characteristics and risks. These similarities make it feasible to infer a lot about an organization’s cybersecurity risk exposure.

For example, certain threat actors are known to target a particular industry or geographic region. Organizations in that industry or region are more at risk from these groups than those outside it. This is useful information for calculating cyber risk.

Similarly, regulatory responsibilities affect cyber risks and the cost of cyberattacks. Data breaches in healthcare and the financial industry are more damaging and expensive than those in some other industries. The potential cost of a data breach, based on the regulations you must comply with, is a useful figure for quantifying your cyber risks without you needing to collect any data.

 

How Kovrr Provides Personalized Meaningful Results with Minimal Input

Kovrr uses an array of datasets to move from a large-scale view of an organization’s cyber risk to targeting the analysis to your particular company. 

Initial Grouping

Kovrr’s methodology uses three factors to group organizations:

  • Location: Grouping companies based on countries worldwide and by states in the U.S.
  • Industry: The SIC classification system helps group organizations with the option for more granular classification.
  • Entity Size: Revenue bands determine the size of companies and group similarly-sized organizations together. 

This initial grouping provides a lot of useful information for a baseline estimate of the company’s cyber risk exposure. Further data then gets used to refine the results to specific company risks.

Insurance Claims Data

To further refine this high-level picture of an organization’s primary cyber risks, Kovrr partners with insurance providers and analyzes claim data. Kovrr extracts trends from insurance claim data to identify the primary threats that an organization faces and the likely cost of remediating these incidents.

For example, in the highly-regulated financial industry, data breaches are a major risk. Past insurance claims by financial institutions can provide insight into the likelihood and total cost of a data breach. Based on an organization’s profile — size, location, etc. — it’s possible to gain an even clearer picture of cyber risk exposure and to quantify the cost of that risk.

Personalized Security Analysis

Two companies may look very similar on paper if they are in the same industry, are the same size, and share a location. However, their cyber risk may vary dramatically based on the details of their IT infrastructure and the maturity of their cybersecurity programs.

Quantifying these types of cyber risks is often what requires large amounts of data and work by an organization; the type of data collection that makes CRQ seem like a gargantuan task. Kovrr automates this process in the following ways:

  • Vulnerability Scanning: An external vulnerability scan of an organization’s IT systems provides insight into the most likely vectors for a cyberattack and the company’s overall level of cybersecurity risk management.
  • Security Solution Integrations: Kovrr offers integrations with common SIEM and EDR solutions along with the ability to ingest and analyze exported log data. This data provides valuable insight into an organization’s internal security and the cyber threats it faces.
  • Cyber-Sphere: Cyber-Sphere helps companies to map the structure of their IT networks. Understanding corporate IT architecture enables Kovrr to better identify the cyber risks specific to a particular department, division, or site.

All of this data, which requires minimal effort from you to collect, clarifies the state of your IT architecture and existing cyber defenses. Based on this knowledge, Kovrr personalizes CRQ data to your specific company without extensive data collection efforts. 

Quantify the cyber risk your organization experiences due to its third-party service providers.

Threat Intelligence Data

Based on the previous datasets, Kovrr paints an in-depth picture of a specific organization and its cyber defenses. Kovrr then combines this information with threat intelligence data to identify and quantify an organization’s leading cyber risks.

Threat intelligence data may point to a surge in ransomware attacks targeting organizations in the manufacturing industry. If Kovrr has identified that an organization is a likely target of these attacks, it can use insight into the company’s IT and security infrastructure to determine the attack’s probability of success and likely impact.

This combination of likelihood and impact gets used to calculate a risk value for particular threats. By constantly tracking threat intelligence data and updating its risk models, Kovrr offers CRQ that tracks the evolution of the cyber threat landscape.

User-Provided Insights

Some organizations may face cyber risks that are difficult for an external party to identify or quantify. Downtime, for example, comes with major costs to a cloud service provider, but the true cost of downtime is impossible to determine without deep knowledge of a company’s internal operations.

Kovrr enables users to input these additional unique risks and costs via a web-based dashboard. This option enables you to further personalize CRQ while still minimizing data collection efforts or resource burdens.

CRQ Can Be Meaningful and Easy

CRQ doesn’t need to be a long, painful process to produce meaningful results. Kovrr uses a variety of techniques to do the heavy lifting for your organization, enabling you to quickly and easily reach a meaningful estimate of your specific cyber risk.

To see how Kovrr works for yourself, sign up for a free demo today.

Amir Kessler

Director of Product Management

Industry Recognition