Cybersecurity: Study Says Risk Assessment Strategies Lack Sophistication

A recent study commissioned by cybersecurity and compliance solutions provider Qualys found that the strategies most companies use to identify and prioritize cybersecurity risks lack sophistication.  This excerpt explains:

The most common approaches used by organizations to measure cybersecurity risks are qualitative risk assessments (58%) and risk scoring tools (54%). But 53% said they use expert judgment, indicating that many organizations still pin a lot of their assessment work on ‘gut instinct’ to determine risk levels. Far fewer are using quantitative risk models, which was only named by 32% of organizations.

While there is growth in the effort to use asset value to determine risk priorities, fewer than a third of organizations (30%) employ a defined cyber-risk quantification strategy when scoring risks. Among those, the most common methods employed are threat assessment and remediation analysis, probabilistic risk assessment, and threat modeling. Other methodologies like loss distribution, crown jewel analysis, value at risk analysis, and FAIR assessments are still relatively rare.

The study suggests that this lack of sophistication in tying business risk and business value to cybersecurity may reflect the siloing of cybersecurity teams.  For instance, while 82% of companies surveyed said the IT security team is involved in cyber risk assessment, only 56% said the CISO is involved.  That drops even further when you move beyond the usual suspects – only 43% of companies say that business stakeholders are involved in the process and just 22% report that their finance teams are involved.