'Inside Security' with Prashanthi Koutha (Senior Risk Engineer, Netflix)

In previous editions of 'Inside Security', we've discussed the severity and range of threats companies have faced and explored how various security functions help mitigate these dangers. Ultimately, it's the responsibility of security teams to proactively protect critical assets –– not only for compliance purposes but also to ensure smooth business operations.

However, we often see 'threat' and 'risk' being used interchangeably, though they represent distinct concepts. A threat is a potential malicious action that can harm a company's assets, whereas risk refers to the probability or likelihood of such an event occurring.

Today, we'll explore the crucial role of risk management within the broader context of threat mitigation.

Risks can emerge from numerous sources, including third-party vendors, malware, or inadequate security practices. Traditional methods have consistently fallen short, highlighting the need for more structured, data-driven approaches to comprehensively understand and manage cybersecurity risks.

One way to understand risk and its severity, beyond simply assigning scores of high-medium-low, is by evaluating and assigning the actual financial impact of the risk. And is precisely the topic of discussion today.

In our conversation with Prashanthi Koutha, we'll explore how teams operating at Netflix-scale are redefining and shaping Cyber Risk Quantification (CRQ), a relatively new discipline focused on measuring the financial impact of cyber risks within organizations.

What is Cyber Risk Quantification (CRQ)?

Cyber Risk Quantification involves translating security risks into measurable financial terms, enabling organizations to make informed decisions based on data rather than pure intuition. In simpler terms, CRQ is the process of using data and analytical methods to measure the potential financial impact of cyber threats on a company.

"Unlike traditional methods, which use ordinal scales or color-coded indicators (eg: red-yellow-green), CRQ employs quantitative frameworks and statistical modeling to assess the likelihood and potential financial impact of cyber incidents."

This is good because it moves beyond vague, subjective indicators by using concrete, measurable data, enabling clearer communication of cyber risks to leadership. By quantifying both likelihood and financial impact, CRQ allows organizations to prioritize risks more effectively and make informed, cost-based decisions about cybersecurity investments.

A Brief History of CRQ

Risk quantification has its roots primarily in the finance, healthcare and insurance industries, where the assessment of risks in monetary terms is standard practice.

"Historically, the tech sector lagged in adopting similar quantitative methodologies. Seven years ago, risk quantification within tech companies was virtually unheard of. You’d only hear about it in finance or insurance, not technology. However, growing cyber threats, increased regulatory oversight, and the necessity for structured cybersecurity approaches have driven the adoption of CRQ within the technology sector. Notably, frameworks such as FAIR (Factor Analysis of Information Risk) have emerged to meet these unique challenges."

Cyber risk quantification has come a long way since its initial days of qualitative assessments. In the early days of CRQ implementations, workflows were powered by custom developed risk quantification models and spreadsheets. And with complexities, scale and expansiveness of both threats as well as the tech infrastructure within modern software businesses, the legacy risk quantification and analysis approaches fail to provide extensive assessment insights.

Companies operating in highly regulated industries have pioneered growth for CRQ. With sensitive data and high regulatory guidelines to adhere to, these sectors were quick to comprehensively develop and build on cyber risk quantification assessments.

For instance, modern banks leverage sophisticated models to evaluate the preparedness of their security practice. These models are trained and developed on historical cyber incident data, threat intelligence, and advanced analytics, enabling security teams to quantify their exposure to threats. They thoroughly assess the probability and potential impact of various attack scenarios, and facilitate timely and better decision-making along with resource allocation.

How Does CRQ Work?

These are two approaches to CRQ that organizations follow: 

a) Top Down: This approach utilizes scenarios and high level assumptions to estimate risk in monetary terms. This calculation is usually performed at the enterprise level.

b) Bottom Up: This approach is attempted by customers who are at the more sophisticated end of the cyber risk management spectrum and usually involves creating a DIY data lake to feed the risk model.

"Most organizations opt for the top-down approach. They typically start the cyber risk quantification process by sourcing and analyzing data from each side of the golden triangle. Once completed, a dollar value representing the scale of loss will start to emerge. Next, they will need to map the cost components of various events to understand the financial impact. Different cost components include but are not limited to notification costs, monitoring services, ransom amounts, and recovery efforts. For example, any security-related business interruption should also factor in PR costs to mitigate reputational damage. And for large-scale organizations like Netflix, this further extends to revenue losses from operational downtime and increased future content acquisition & distribution costs."

The CRQ process involves several structured steps and frameworks:

1. Scoping the Risk

This critical initial phase translates broad business concerns into specific, measurable risk scenarios. Prashanthi emphasizes, "If we get this wrong, the entire analysis can become irrelevant. It requires deep engagement with stakeholders to understand their concerns."

2. Data Gathering

This involves collecting extensive internal and external data on threats, vulnerabilities, and historical cyber incidents. AI and automation have greatly improved efficiency in this phase, significantly reducing time spent on extensive research.

3. Risk Analysis Using Frameworks

Analysts commonly use frameworks like FAIR, which provide structured methods to identify threats, vulnerabilities, and potential methods of exploitation by attackers.

"FAIR enables us to take complex technical factors and translate them into risk statements comprehensible to everyone, from engineers to executives. FAIR works by breaking down security risks into measurable components - like how often an attack might happen and how much it could cost. It guides teams on how to collect data, calculate risk in dollar terms, and understand complex situations. This helps organizations prioritize their biggest risks and clearly communicate them to leaders."

4. Quantifying Impact

Monte Carlo simulations and other statistical models like bowtie use computer simulations to estimate the probability/frequency of disruptions and what their impacts might be. This approach runs thousands of random scenarios to show the probability of a risk happening, helping businesses measure risks and make better decisions. grounded in objective data.

Why is CRQ Essential?

One way to understand the importance of CRQ is to consider the potential cost of not implementing it. CRQ translates complex security risks, both tangible and intangible outcomes, into clear, measurable financial terms. And instead of simply relying on vague indicators (like red-yellow-green for severity), CRQ helps teams understand the exact potential impact of cyber incidents in terms of what truly matters – dollars! This clarity allows leaders to make informed decisions, prioritize security investments, and communicate risks effectively with stakeholders.

"It becomes significantly easier for a CISO or senior leadership to present security risks to the board, speaking in a shared language that fosters full board-level buy-in for implementing action plans. Once board members understand cybersecurity risk in familiar financial terms, they recognize its urgency. Suddenly, what once felt like an uphill battle to justify investment becomes much simpler."

Let's take a look at a few strategic advantages of CRQ:

• Common Language for Risk: By standardizing risk terminology, CRQ facilitates clear communication across departments and stakeholders
• Objective Decision-Making: Quantitative assessments replace subjective judgment, enabling precise resource allocation
• Regulatory Compliance: CRQ ensures organizations disclosure of material cyber incidents and risks associated with business impact for regulatory purposes

Challenges in CRQ Implementation

Despite its seemingly straightforward value, like any practice, process or function within security, CRQ comes with a complex web of challenges organizations must navigate to derive meaningful insights. Among other key nuanced skill sets, it primarily demands teams to have a forward-thinking mindset, leveraging threat intelligence, and staying abreast of technological advancements AND regulatory developments. These seemingly simple capabilities, in practice, distinguish effective CRQ teams from others.

Let's look at the most common hurdles teams face:

• Analyst Learning Curve: Mastering complex frameworks like FAIR involves a steep learning curve. Analysts must understand security fundamentals, statistical modeling, and specific business contexts.
• Navigating Data: A major challenge in CRQ is the lack of complete data. Organizations struggle because they don't have enough information about all possible threats, especially new ones. Without full data, accurately measuring cyber risk is difficult, leaving teams trying hard to fill these gaps.‍
• Stakeholder Communication Gaps: Transitioning from qualitative scales to detailed quantitative data can be difficult. Prashanthi notes, "Executives often ask us to simplify results back into red, yellow, or green indicators. It’s a tough balance."‍
• Time-Consuming Processes: CRQ assessments, although valuable, require significant time. Stakeholders accustomed to rapid qualitative assessments may find this challenging. And any oversight or negligence can result in financial losses, reputational damage, and legal liabilities.

"Speed remains our biggest hurdle. CRQ is thorough but can’t be rushed; automation helps, but human judgment remains essential."

Measuring CRQ's Impact

Quantifying CRQ’s value involves tracking how well it helps an organization make smarter decisions about security. Here’s how you can measure it:

According to Prashanthi, here are some ways teams track the effectiveness of their programs:

• Reduced financial losses: Compare potential losses before and after using CRQ to see if the method helped lower risks.‍
• Better decision-making: Track if CRQ data has influenced decisions about where and how to invest in security.‍
• Improved risk prioritization: Check if CRQ has helped prioritize threats better, focusing resources on the most critical risks.‍
• Enhanced board communication: Evaluate if CRQ made it easier to communicate cyber risks clearly to executives and get buy-in.‍
• Response efficiency: Measure if CRQ insights have helped your team respond faster and more effectively to incidents.‍
• Compliance and reporting: See if CRQ has simplified reporting and helped maintain compliance with regulations.

"It's imperative for teams to map and track as much of these results as possible. We regularly survey stakeholders. Sometimes, even if full quantification isn't possible, the structured risk identification process alone proves immensely valuable."

AI In CRQ But Not (Yet) Without Human Supervision

We couldn't wrap up our conversation without discussing the future of CRQ and the critical role AI will play. AI holds significant promise, especially for data collection and simulations –– it speeds up external research, runs complex scenarios quickly, and keeps data up-to-date. It also enhances predictive analytics, helping organizations more accurately assess risks and prioritize actions. However, as Prashanthi emphasized, human judgment remains crucial, especially in defining the scope of risks and interpreting results.

"AI drastically reduces research time, but accurately identifying and understanding risks still demands human insight into business complexities. I'm bullish and excited about the partnership between humans and AI in CRQ. In the future, I can see a critical business function (read CRQ) leveraging AI to automate routine tasks, while allowing security professionals to focus on strategic decision-making. This blend of AI and human expertise will ultimately strengthen an organization's ability to manage and mitigate risks effectively."

Conclusion

By now it should be pretty evident that cyber risk is multi-faceted, extending beyond technical vulnerabilities to human factors, regulatory landscapes, and third-party dependencies. Security teams must align with business leaders to make sure their risk assessments match company goals. This is the only way CRQ fit better with the collective goals of an organization. Adopting a multi-faceted approach to risk assessment involves considering these diverse elements in tandem.

"As cyber threats grow more complex and regulatory demands intensify, CRQ is transitioning from an optional strategy to a critical component of enterprise cybersecurity. Organizations are now recognizing CRQ’s value, driven by regulatory changes and the need for structured, data-driven decision-making. It is not just a tool –– it's becoming an essential element of enterprise risk strategy, enabling informed, effective, and strategic cybersecurity decisions."

. . .

We'd like to thank Prashanthi for her time and insights. You may connect with her via LinkedIn.