I tend to avoid writing about features in the blog but this one is kind of unique. Recall Risk Communicator's first mission is to streamline portfolio planning and justification. Our approach is an evidence based, qualitative ranking of risks. We're big believers that combining past and present evidence with the opinion of an accountable CISO represents the best prediction of future loss. I'll take the evidence backed opinion of an experienced CISO over various statistical distributions any day.
An important element to the evidence based approach is how to articulate the predicted impact of a successful threat action. We recently had a feature request to highlight a primary impact area for each risk. While a risk may have multiple impacts e.g. fraud, regulatory fines, reputation/customer churn, one usually stands out (or you only have time to articulate one anyway). The second reason someone wanted to highlight a primary impact is they are able to quantify a couple risks around their fraud controls. I love it when a risk has a strong quantity story! We'll bend over backwards to help communicate a solid cost-benefit analysis.
As with all feature sets this one is a journey. The first step in associating quantitative values alongside qualitative ranking is available now in Risk Communicator. Log-on to check it out. The obj is to select a qualitative impact description or enter in a dollar value. Of course you can enter anything you like. Whatever you do, please be sure to document your evidence in the Impact text boxes and defend your ranking or valuation.
In the future, you'll see more side by side uses of qualitative and quantitative assertions. Every risk can be presented in a qualitative, ordinal scale. And when you have the data to construct an ALE or specify a monetary amount, we want to help you communicate it!
Stay tuned and let us know what you think. There's plenty more on the way. We're also seeking feedback on a new histogram showing counts of risks across Impact areas. Like it? Want to see separate graphs for mitigated and accepted risks?