The RiskLens platform not only helps display an organization’s risk in quantitative terms, but contains features that make it easier to compare these risks against each other. These features are known as Risk Assessments and Portfolios and the information below will describe in more detail what each means, how they are used and the benefits of using these features to report to executives and to the board of directors.
Within the RiskLens platform, an analyst has the ability to see the overall (aggregated) risk exposure of a group of scenarios using a risk score. This feature highlights key risks and presents overall exposure to annualized losses when looking at two or more scenarios.
Many organizations want to assess which assets are most at risk and can do so quickly by performing quick assessments and using the Top Risks report in the Risk Assessment to see how all scenarios stack up against each other. In a risk assessment, the analyst is also able to see a breakdown of reports based on assets, threats, effects, and forms of loss, providing another way to visualize the results of the assessment.
Risk assessment is also used for a more holistic understanding of a risk that may have multiple scenarios, such as big game ransomware. In order to fully understand the overall loss from a ransomware attack, an analyst can look at the outage aspect as well as the data loss by performing a risk assessment.
The platform also allows the analyst to perform benchmarking based on a risk assessment. This feature can be accessed and used after scenarios and a risk assessment have been completed and all have been updated. With this feature, the analyst can compare the implementation of controls, remove controls to see if they are mandatory, and make other comparisons that are relevant and useful to the organization. The analyst can also look at the cost of the control, or perform a risk treatment analysis, to understand what the estimated return on investment is for implementing the control.
Risk assessment capabilities
Identify, classify the main risks
Quick ad hoc disaster reports
Aggregate loss exposure for multiple risk scenarios
Multi-scenario views of a complex risk
ROI of controls for risk reduction
Once a portfolio is created, topics can be associated with the portfolio. When creating topics, they are assigned or tagged in a scenario, effectively adding that scenario to the associated topic report. Unlike risk assessments, which can only contain scenarios associated with the given group, a topic can contain scenarios from multiple groups within the RiskLens instance, allowing for enterprise-level reporting. Topics may be reviewed and communicated alone or with other topics in the associated portfolio.
All scenarios assigned to a given subject are aggregated to provide a single total risk value for the given category. Likewise, all subjects are aggregated to provide a single total risk value for the portfolio. Therefore, a single scenario can only be included in one subject per portfolio to avoid overestimating the risk.
In addition to the aggregated value, the topic and portfolio reports contain a comparison of related scenarios and topics, respectively. The reports also contain a breakdown of risk-causing loss concentrations and a highlighting of the highest risk scenarios included in the subject or portfolio, based on per-event and annualized loss exposure. Both reports also contain areas for adding additional notes and correction information.
Company level reports
Group risk scenarios by any topic
Exposure to impairment by theme
Compare subjects for loss exposure
Explore risk factors by topic
Summary: Risk assessments and portfolios on the RiskLens platform
Both features allow an analyst to report a group of scenarios to an organization quantitatively. Risk assessments should probably be used primarily for benchmarking to assess control investments as well as rapid ad hoc and holistic risk analyzes for specific incidents. Portfolios will enable comparison of groups of scenarios against each other as well as enterprise-wide reporting with the ability to understand risk across all departments of the organization.
*** This is a syndicated blog from the Security Bloggers Network of RiskLens Resources written by Erin Macuga. Read the original post at: https://www.risklens.com/resource-center/blog/deep-dive-or-enterprise-wide-view-cyber-risk-from-any-angle-with-risklens-risk-assessments-and-risk- wallets