Objective Risk Assessment

O
Written By Threat NG Staff

Objective Risk Assessment in the context of cybersecurity is a method of evaluating potential threats and vulnerabilities based on quantifiable data, verifiable facts, and established mathematical or statistical models, rather than relying primarily on subjective judgment, intuition, or qualitative scales (like "high," "medium," or "low").

Core Principles and Methodology

The fundamental goal of an objective assessment is to replace vague, consensus-driven opinions with financially expressed or probability-based estimates that are consistently reproducible and transparently defensible to business leaders.

1. Quantification and Financial Expression

The most distinguishing characteristic of an objective assessment is the translation of technical risk into monetary terms. It leverages the concepts of Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO) to calculate the Annualized Loss Expectancy (ALE).

  • Financial Metrics: Risk is defined as the probable loss over a year. For example, instead of saying "The risk of a data breach is high," an objective assessment states: "The Annualized Loss Expectancy for a critical data breach due to unpatched systems is $1.5 million."

  • Modeling Uncertainty: It often uses statistical techniques, such as Monte Carlo simulation, to model the range of potential outcomes and their likelihoods. This provides a clear, quantitative statement of uncertainty (e.g., "There is a 90% chance the loss will be between $800,000 and $2 million").

2. Evidence-Based Inputs

An objective assessment requires inputs that are derived from empirical evidence, moving away from expert opinions where possible:

  • Frequency Data: The ARO is calculated using actuarial data, industry breach statistics, external threat intelligence, and historical organizational data, providing a verifiable basis for the likelihood of an event.

  • Cost Data: The SLE is based on verifiable financial figures, including incident response costs, expected regulatory fines, breach notification costs, and the cost of lost business (e.g., $250 per lost record, based on industry averages).

  • Control Strength: The effectiveness of existing security controls is measured through testing, metrics, and external attack-surface data (such as that provided by EASM tools) rather than self-reported compliance status.

3. Separation of Probability and Impact

Objective risk models, such as the Factor Analysis of Information Risk (FAIR) model, rigorously separate the components of risk into two distinct categories:

  • Loss Event Frequency: How often the event is expected to occur (ARO).

  • Probable Loss Magnitude: How much the event is expected to cost when it does occur (SLE).

This separation prevents subjective biases from conflating a high-impact event (a significant loss) with a high-probability event (something that happens often).

In summary, the objective approach views cybersecurity risk as a form of business risk that can be managed and prioritized with the same financial rigor as credit market risk.

ThreatNG directly supports an Objective Risk Assessment by supplying the quantifiable external data needed to accurately calculate the Annualized Rate of Occurrence (ARO) and the Single Loss Expectancy (SLE), shifting the assessment from subjective opinion to verifiable financial metrics. It provides evidence that a specific control has reduced risk, thereby validating the Expected Loss Avoided (ELA).

External Discovery and Continuous Monitoring

ThreatNG's external discovery is critical for establishing the initial, unmitigated risk state ($\text{ALE}_{\text{Before Control}}$) by identifying unknown assets that contribute to a high ARO. Continuous monitoring then provides the empirical data stream needed to prove that risk reduction is sustained, validating the $\text{ALE}_{\text{After Control}}$ over time.

  • ThreatNG Helping Example: By continuously discovering forgotten, unmanaged assets (Shadow IT) that pose a risk, ThreatNG precisely defines the population of vulnerable systems, allowing the risk assessor to move from an estimated ARO for "the entire network" to a precise ARO for "20 known, unpatched external servers." If these servers are remediated, the continuous monitoring confirms their security posture remains compliant, validating the reduction in ARO.

External Assessment and Intelligence Repositories

These modules provide the verifiable, external data points essential for objective quantification of both loss frequency and loss magnitude.

External Assessment (Highlight and Detailed Examples)

The assessment module provides the necessary inputs for the SLE and ARO components of the quantitative risk formula.

  1. Quantifying ARO via Real-World Exploitability:

    • Example: ThreatNG discovers a publicly exposed API used for customer access. The external assessment doesn't just check for a vulnerability; it verifies that the specific vulnerability is actively being discussed and targeted by hacking groups, as confirmed by data from intelligence repositories. This external confirmation allows the risk assessor to objectively increase the ARO for a breach through that API from a subjective "low" to a quantifiable 0.8 per year, reflecting the high probability of a targeted attack. This objective number provides a precise input for the risk calculation.

  2. Quantifying SLE via Asset Sensitivity:

    • Example: A misconfigured cloud storage bucket is discovered. The external assessment analyzes the bucket's permissions and determines that it contains proprietary source code for a flagship product. This finding allows the assessor to calculate the SLE not just on regulatory fines, but on the quantifiable cost of intellectual property loss, which might be $10 million based on R&D costs. ThreatNG provides the verifiable evidence that this asset has a high SLE, grounding the objective assessment in financial reality.

Intelligence Repositories

These act as the actuarial data source for the objective risk model, replacing guesswork with statistically relevant context.

  • Fabric Function: The intelligence fabric provides global and industry-specific breach statistics, average litigation costs, and prevailing threat actor TTPs. For instance, the repository shows that similar organizations face an average of 1.2 targeted ransomware attempts per year. This figure is then used as a baseline for the ARO in the objective risk assessment, making the resulting ALE financially defensible.

Investigation Modules and Reporting

The investigation modules provide the audit trail needed to demonstrate risk reduction, and the reporting module communicates the resulting objective financial metric (ALE).

Investigation Modules (Highlight and Detailed Examples)

The investigation module ensures that any claim of risk reduction (a lower ARO or SLE) is backed by verifiable evidence that the control is working externally.

  1. Validating Control Effectiveness Post-Remediation:

    • Example: The organization implements a solution to secure all exposed database connection strings found by ThreatNG. The investigation module is then used to perform continuous, automated searches across code repositories and paste sites for 6 months to verify that the remediation is complete and thatthe sensitive strings have not reappeared. The investigation report, showing zero reappearance, serves as objective, quantifiable proof that the control has reduced the ARO to near zero, thereby validating the ALE After Control calculation.

  2. Confirming Threat Actor Disruption:

    • Example: ThreatNG identifies a specific phishing campaign targeting the organization. The organization takes action to block the identified phishing domains. The investigation module is then used to monitor dark web forums associated with that threat group to confirm that they have stopped targeting the company and shifted their focus elsewhere. This external evidence provides objective validation that the mitigating action successfully reduced the ARO, contributing to a lower, verifiable ALE.

Cooperation with Complementary Solutions

ThreatNG's quantified risk data is vital for ensuring that internal business and risk management tools are driven by objective, external truth.

  1. Cooperation with Governance, Risk, and Compliance (GRC) Platforms:

    • Example: ThreatNG's output—the quantified ARO and SLE inputs derived from the external assessment—are automatically sent to the organization's GRC platform. The GRC platform then uses these objective figures to calculate the final, auditable ALE, eliminating the need for subjective manual inputs. This ensures that the risk register is always based on current, financially expressed threats, meeting the highest standards of objective risk assessment.

  2. Cooperation with Financial Modeling Software:

    • Example: ThreatNG identifies that 50 exposed, legacy usernames could be used for credential stuffing. The intelligence repository provides an ARO and SLE based on the expected cost of an internal account takeover. This quantified data is ingested by financial modeling software, which then uses the figures to calculate the precise Return on Investment (ROI) for purchasing a new Multi-Factor Authentication (MFA) solution, grounding the investment decision in the objective financial benefit of Expected Loss Avoided.

Threat NG Staff
Next

Expected Loss Avoided