Ostrich Cyber-Risk debuted the Ostrich Cyber-Risk Birdseye CRQ Simulator designed to define cyber risk in financial values to aid informed business decisions for reducing risk.
Security and risk leaders have unprecedented pressures to protect their organization against ongoing threats including ransomware, data breaches and insider threats. Quantifying these risks is necessary to understand, evaluate, prioritize and communicate the risks in financial terms. This lends to improving decision-making, optimizing spending and addressing growing regulatory requirements by identifying and managing the most impactful risks first.
“We use Birdseye to both assess and quantify risk. The CRQ Simulator helps us plan risk-reduction scenarios to determine Annual Loss Expectancy results in dollars per year, and communicate that risk impact in financial terms,” said Arlan McMillan, Chief Security Officer, International Law Firm.
The CRQ Simulator is a new module in the SaaS Birdseye solution. It works based on Monte Carlo random number generation, probabilistic models, similar to the Open FAIR model, with the option to leverage granular Resistance Strength variables for improved Annual Loss Expectancy (ALE) probability outcomes.
“Our new CRQ Simulator module comes with an intuitive editor to build unlimited threat scenario simulations and the ability to run them thousands of times to gain better confidence in the Annual Loss Expectancy outcomes,” said Yiannis Vassiliades, Chief Product Officer, Ostrich Cyber-Risk. “This enables security and risk teams to compare options for addressing the risk, measure the acceptability of each outcome, and find the solution with the highest ROI to mitigate the simulated threat. This is essential to make cybersecurity program improvements not in a vacuum, but as a business decision.”
By using the full Birdseye solution with the CRQ Simulator module organizations can better understand their cybersecurity program effectiveness and gaps, justify strategic decisions by measuring the ROI of security projects and budget, and communicate risk via shareable reports with the board, non-technical stakeholders and third parties, like insurers.