The method to measure and reduce IT risks

Setting and staying on the path towards optimal IT security requires reliable processes, efficient tools and independent consulting. Unfortunately, many organizations still use qualitative methods for IT risk management, making it difficult to measure risk across teams and business areas, and harder to compare your risk level to your risk tolerance.

The solution is evidence-based and quantitative analysis methods that create a solid and transparent foundation for your decision making, and help you avoid analysis placebo.

“Risk management with confidence in flawed methods is worse than intuition and dice rolling.”
ACI dogma #2

Practical and reliable quantitative IT risk management

Risk management is a known discipline in economics, insurance, and construction, among others. We use these evidence-based procedures to assess your IT risk level, your IT threat landscape, security level and risk tolerance.

From this foundation, we can help you develop your IT strategy, policies, operational procedures and controls so you can achieve the best risk reduction from your investment.

Our risk assessments consider the following areas and circumstances:

• External malicious attacks (cybercrime)
• Internal malicious attacks
• Internal failures and omissions
• Incidents from outsourcing
• Incidents relating to the physical environment and infrastructure

The path to optimal IT risk management

We developed the SARA method to ensure a good process and a practical and impartial assessment of your IT risk management processes. The process will be tailored to your organization to make the process agile, thorough, and secure, in accordance with Appendix 5 of the Executive Order on Management for financial institutions in Denmark. Read more about our method below.

You have more data than you think

A “lack of data” is frequently the excuse we hear for not using quantitative methods in IT risk assessments. However, organizations have more data that can help reduce uncertainty for the risk assessment than they think. And you need less data than most people think.

Even a few measurements from your IT environment compared to what we know about the threat landscape can bring us closer to a prognosis for e.g., the risk of a severe cyber incident with the loss of sensitive data. We use your immediately available data to reduce uncertainty as much as possible. Then, we help you collect risk data to further decrease uncertainty in the following risk assessments.

If it matters, it can be observed. If it can be observed, it can be measured.
ACI dogma #10

Tools and standards for risk management

Tools only work if the underlying processes work. They are not crucial for optimal IT security. Through the years, we have developed a reliable and efficient set of tools which, among others, consist of:

• Processes for risk management as established by ISO standards
• Taxonomies for classifying operational risk in various industries
• In-house developed scenario generators
• Tools for calibrating subject matter experts
• Simulation tools based on Monte Carlo simulation
• Analysis of current IT security level based on CIS controls
• Tools for visualization and presentation of risk data
• Collaborators for collecting risk data and performing specific tests