Wouldn’t we all like to have simpler life, easier days, less stress? Well, if you’re a new SaaS CIO/CISO stepping into your role, here’s a tip to simplifier your day.

You have to make decisions every day, all day along.

What will you do about that latest cyber-attack?

How will you prioritize limited resources while still managing and hopefully reducing risk?

What will say to stakeholders?

Having a **fool-proof way to make all those decisions** would go a long way to smoothing out your day – wouldn’t it? Heck yah!

The problem with making decisions is having **a way to evaluate the multiple factors** you need or want to consider. Then, hopefully, the answer will be obvious. It will be the decision with less risk.

#### How do you measure risk?

Most organizations use labels like low and moderate. That’s fine until you have three “moderate” risks. Now how do you make a decision and prioritize if everything else is equal? What does a “moderate” risk even mean?

You can’t make a decision until you can differentiate between the two things you’re considering. In other words, labels like this are useless if you haven’t defined exactly what they mean.

**There are two approaches to this. **

The first involves measuring the characteristics and this represents risk. You can count (measure) things like then number of missing patches, or outstanding vulnerabilities for an asset. This is easy because you likely have this data on-hand. These characteristics are interesting and can lead to risk, but they are not actually the measure of risk. Risk occurs when a vulnerability is exposed to a threat actor likely to leverage the vulnerability against you. Eliminate either of these two things, vulnerability or threat actor, and you don’t really have a risk.

The second way to measure risk is using the math of probability (probability theory). This method starts with an initial estimate of risk which does NOT take a lot of data. You can be accurate with a wide range estimate, then as you have time and more data you become more precise, and the risk range becomes narrower. The most basic equation is a joint probability and looks like this: threat x likelihood = risk. In this case, threat is the weakness or vulnerabilities you are aware of, and likelihood is the estimate of strength of a threat agent. Replace your typical 1-5 scale of very low to very high with 20% ranges (0-20, 20-40, etc). Now you can do some quick math and estimate the risk.

Here’s an example: Let’s say we estimate low vulnerabilities in a system (20-40%) and a cybercriminal as the threat actor (60-80%). We can calculate the lower range value as .20 x .60 = .12 and the upper range is .40 x .80 = .32. So, the estimated risk range is 12%-32%. Viola!

This scientific method has been widely applied to a variety of situations with very high levels of uncertainty, and consistently yields reliable, valid results. There is an added benefit to using this method. An initial estimate allows you and stakeholders to make a decision to proceed based on the initial estimate or request a more detailed analysis. See how that works?

Want to learn more about implementing this in your organization? Schedule a quick chat at https://www.fismacs.com/contact.

**Charlene Deaver-Vazquez** -Helping new CIO/CISO measure, manage and communicate risk. Schedule a quick chat https://www.fismacs.com/contact