Managing Cyber Risks

Abstract & sneak peek on our talk at FloCon 2022

SEI Capstone - Executive Summary.pdf

ECI & RA: Express Control Impact and Risk Analysis

Partnering with the Software Engineering Institute at Carnegie Mellon University, we devised a Cyber Risk method for any organization combining FAIR, MITRE, OCTAVE, CMMC, NIST CSF, and NIST SP 800-53 frameworks. The main objective is to quickly quantify risks and provide the CISO with a concise and express control impact prioritization strategy. CISOs will be allowed to quickly justify their budget and investments to executives.

As a result, the tool will help any organization manage their risk according to their custom-tailor appetite and budget. Giving the CISO a tool to successfully navigate controls gap and implementation and prioritize risk treatment.

Objective

Develop a method and tool to help analyze the impact a given set of controls has on cyber risks estimation.

Purpose

Helps determine how much less risk an organization will have if certain controls are implemented and reduce financial loss.

Building blocks

  1. Factor Analysis of Information Risk (FAIR)

  2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro from SEI

  3. Threat Assessment & Remediation Analysis (TARA) from MITRE

  4. NIST SP 800-53 controls

  5. CMMC

  6. NIST CSF