Introducing Black Kite’s New FAIR Model Scenarios – Ransomware and Business Interruption
Written by: Black Kite
The most effective way to communicate cyber risk to the rest of your organization? Probable financial impact — because money is the universal language of business risk.
That’s why Black Kite’s platform offers financial cyber risk ratings. A financial cyber risk rating puts a clear monetary amount on the cyber risk a third-party vendor poses to your organization — should they experience a security incident.
As of June 2023, Black Kite has added two new FAIR model scenarios (Ransomware and Business Interruption) to its cyber risk quantification. With the addition of these new scenarios, Black Kite assesses risk for nearly all third-party cyber risk use cases by providing a holistic assessment of the potential financial impact and likelihood of various cyber threats to an organization.
What is FAIR?
The Factor Analysis of Information Risk (FAIR) Institute is a non-profit organization dedicated to improving how businesses manage and measure cyber and operational risk. The FAIR Institute provides the only global standard quantitative model for information security and operational risk.
The Open FAIR model gives security and third-party cyber risk management (TPRM) teams meaning measurements to better understand, analyze, and quantify information risk in financial terms — unlike risk assessment frameworks focused on qualitative color charts or numerical weighted scales.
How Does FAIR Determine Financial Risk?
Using the Open FAIR™ model, businesses can analyze and quantify the probable financial impact (risk) of a specific situation (scenario). A situation could be any of the various cybersecurity risks that organizations constantly face (ransomware, data breaches, supply chain interruptions, etc.).
To create a scenario, the Open FAIR™ model leverages Loss Event Frequency (LEF) and Loss Magnitude (LM) to calculate financial risk estimates. You can learn more about how the Open FAIR model calculates financial cyber risk by visiting the FAIR Institute website.
Why Black Kite Uses the Open FAIR™ Model
Common risk management frameworks can’t provide a complete view of your third-party risk landscape. For example: A technical cyber rating can help measure a third-party vendor’s cybersecurity posture, but a rating alone lacks context related to business impact. You can see your vendor’s cyber hygiene rating, but not how an attack on said vendor could financially affect your organization.
Organizations must be able to accurately measure the probable financial impact of an incident such as a third-party vendor breach — considering the average business uses 11 third-party vendors, and 98% use a third-party vendor who has suffered a breach.
Black Kite aims to provide a complete picture of third-party cyber risk through our technical cyber rating, compliance correlation, and cyber risk quantification (CRQ) solutions. In our CRQ solution, Black Kite translates third-party cyber risk into probable financial impact using the FAIR ontology. Our CRQ solution is where Black Kite leverages the Open FAIR™ model to ensure you get the most accurate probable financial impact based on which cyber incident scenario you want to prepare for (or, if you want to prepare for all three). [Note: each cyber incident scenario has a mutually exclusive Loss Event Frequency (LEF).]
Having your third-party cyber risk presented in financial terms is crucial in successfully understanding and managing risk. Without a solid representation of the financial impact of an attack, there’s no way to measure or clearly communicate to business leaders exactly how an attack on a third-party vendor could hurt your revenue streams. Implementing Black Kite is a way to help the rest of your organization understand cyber risk in a cost-effective manner.
What are Black Kite’s FAIR scenarios?
Black Kite has incorporated the Open FAIR™ model into three scenarios to provide organizations with a realistic assessment of the probable financial impact and likelihood of various cyber incidents. The three scenarios (that include nearly all cyber incidents businesses face today) are:
- Data Breach
- Ransomware
- Business interruption
Data Breach FAIR scenario
Black Kite’s Data Breach scenario assesses and mitigates the risks associated with data breaches (reputational damage, non-compliance fines, intellectual property theft, etc.) by analyzing a vendor’s:
- Security controls
- Compliance results
- Industry-specific threat data
The probable financial impact is calculated using the following metrics and inputs:
- Vulnerabilities
- Common Weakness Scoring Systems factors
- Compliance and industry data
- Employee training
- Insurance impact
- Unit cost of exposed information
- Incident response team capabilities
Ransomware FAIR scenario
Black Kite’s Ransomware scenario assesses the likelihood of a ransomware attack and helps to identify areas of vulnerability through analyzing a vendor’s:
- Security controls
- Emerging attack vectors
- Previous ransomware incidents
Your probable financial impact is calculated using the following metrics and inputs:
- Black Kite’s Ransomware Susceptibility Index® (RSI™)
- Insurance impact
- Ransom demand
- Regulatory fines
- Cost of average downtime
- Loss of business
Business Interruption FAIR scenario
Black Kite’s Business Interruption scenario highlights areas to improve and ensure business continuity by assessing how environmental and supply chain risk could affect an organization’s operations.
- Environmental factors such as earthquakes, floods, and pandemics can disrupt business operations
- Supply chain risk can lead to disruptions in the supply of goods and services
- Geopolitical risks, such as riots or protests
Your probable financial impact is calculated using the following metrics and inputs:
- Environmental factors
- Supply chain risk
- Insurance impact
- Cost of average downtime
- Loss of business
How Metrics and Inputs Differ By Scenario
Loss Magnitude (LM) is calculated differently in each scenario, as each scenario has different risk factors that contribute to the potential financial impact of a risk event on the organization.
Here’s a brief explanation of LM for each scenario:
Data Breach: Loss Magnitude in the Data Breach scenario is driven by the exposure of sensitive information. The unit cost of the exposed information, the potential impact on the organization’s revenue, and the cost of incident response and remediation efforts all contribute to the potential financial impact of a data breach.
Ransomware: Loss Magnitude in the Ransomware scenario is driven by the cost of an average downtime. The revenue of the organization, the cost of incident response and remediation efforts, and the potential impact on the organization’s reputation and customer trust all contribute to the potential financial impact of a ransomware attack.
Business Interruption: Loss Magnitude in the Business Interruption scenario is driven by the potential impact of a disruption on the organization’s operations. This includes the cost of lost productivity, revenue, and profit during the period of downtime and the cost of recovering from the event.
In these scenarios, the Loss Event Frequency for each is mutually exclusive. In order to quantify and understand the total financial risk, it is necessary to to summate the three scenarios’ impacts to come to the final number.
Operationalizing FAIR
Black Kite’s FAIR model can be used to calculate the risk associated with three key scenarios: Data Breach, Ransomware, and Business Interruption. Each scenario is assessed using a combination of factors, including likelihood of occurrence, impact, and vulnerabilities. The resulting risk is then expressed as the product of the likelihood and impact of the scenario.
The automated Loss Event Frequency (LEF) and Loss Magnitude (LM) calculations help organizations identify areas of weakness and develop a comprehensive risk management strategy that includes appropriate countermeasures and compliance measures.
Overall, Black Kite’s FAIR model is a powerful tool for organizations looking to better understand their cyber risk exposure and make informed decisions around risk management and cybersecurity investments. By leveraging these insights, organizations can minimize the impact of potential threats, protect their assets, and maintain the trust of their stakeholders.
Reducing Uncertainty with Black Kite
By using a third-party cyber risk management solution that leverages the Open FAIR Model, you can accurately calculate the probable financial impact on your organization if a third-party vendor experiences a data breach, ransomware, or business interruption.
How can Black Kite help you automate and accelerate third-party vendor risk management? Check out our case study and see exactly how Fractional CISO leverages Black Kite to keep vendor management down from a manual, month-long process to an automated, next-day experience.