I’m (finally) moving our organization towards more decision-based risk analysis rather than just “it’s risk! omg!” Starting with software reviews in the acquisition process.
What are folks using for quantitative modeling? I’m thinking simple models that take into account organizational track record (aka number of x incidents in y timespan), industry track record (average of z incidents) and some kind of weighting factor.
I have a few options. I can hire a contractor to build some excel models for us. I can spend some money on a software tool, with some work if it’s more than $1k. Or I can invest in books / pluralsight / etc to teach myself quantitative analysis, which will take longer to get done.
What’re you folks using for this kind of stuff?
Appreciate the reply. I do use RMFs, but I’m looking for specific analysis tools. For a given threat - data breach from a significant software update adding features - to model that risk quantitatively. I’ll continue looking, but hoping to hear from someone on what they’ve used. I’ll be sure to come back and share what I find as well.
I’m not sure that those exact tools exist, or are in common use, outside of Excel or business tools like SAP. I don’t think you can meaningfully programmatically assign a number to a software update adding features, at least without a human doing the analysis and making a judgement call.
Well, you could use some LLM to read the release notes and generate a number, but I doubt it would have any more value than the human doing it.
More generally, analyses like “if we update and shit breaks we lose $x per day” aren’t, to my knowledge and in my experience, tracked in any formal software system, just stuff like Excel and SAP.
And I do keep bumping into excel models for sale, or Excel add-ins. There’s quite a few quants that’ll do custom models for your scenarios for my price range, too - lookin’ at you, cyberriskmodels.com and your $1200 Custom Models & Dashboards.
I’m more interested in the models and their uses than the buying of a new software. I have fixed scenarios where decisions need to be made, and just a little guidance on ‘use this kind of model (or template excel sheet) for evaluating a new mobile app for a business unit, and this other kind for evaluating the risk of patching production workload servers outside of business hours during the busy season’ would be great.
But yeah, the more I look the more I think it’s not COTS. It’s going to be buying hours with a quant and building models for our standard risk assessments. Which is fine, just good to know I 'spose.