Case Study: Monetary Cyber Risk Quantification Validates Technology Decisions
Monetary Risk Quantification provides insight on social security number storage and security log aggregation
The healthcare sector is one of the most highly targeted for cyber attack. With the copious amount of sensitive data sets, like personally identifiable information (PII), medical history, and more, cyber hackers think of healthcare databases as a treasure trove of information.
One of Evolver’s healthcare clients turned to us for a monetary cyber risk quantification to determine if they were spending the right amount of money in the right places for the cybersecurity. Evolver is especially qualified to determine the risk of the technology spend due to their many certified FAIR Analysts on staff.
FAIR is rapidly becoming the de facto standard for monetary quantification of cyber risk; increasingly, Fortune 500 companies and government groups use the method for monetary risk calculations that can be briefed to board of directors and other senior leadership.
Because of the tangible nature of Evolver’s risk quantification reports, Evolver’s clients know how much financial risk they have over their business areas and applications.
Case Study: Monetary Cyber Risk Quantification for Healthcare Client
Click here to download PDF.
The Cybersecurity Problem
The client had two issues:
»» They were using a costly security log aggregation tool as an added layer of security for three core web business applications. They wanted to determine the value they were receiving for this technology investment.
»» The client wanted to determine if they should continue storing customer social security numbers in their system, or discontinue and possibly lower their risk exposure.
Evolver recommends performing a baseline risk assessment first and then two risk quantifications as a cost/benefit analysis, providing a decision point for the client.
Monetary Risk Quantification Benefits to Client
- Risk quantification enabled the client to make an informed decision from a financial perspective before technology decisions/investments were made
- Provided the actual dollar amount of risk exposure
- CFO and CISO could speak the same language
- Helped validate the continued use of their technology
Successful Risk Quantification Highlights
»» Evolver’s Certified FAIR Analysts started with a baseline risk quantification to see organization’s current status using the RiskLens software.
»» 1st Risk Quantification: security log aggregation tool
»» Perform “what if” scenarios
»» What if the client doesn’t use the tool and relies on their hosting provider to detect and notify security incidents?
»» The client is able to see what their increased risk exposure is and make a decision.
»» In this case, the client determined the investment in the security log aggregation tool was validated.
»» 2nd Risk Quantification: social security numbers
»» Perform “what if” scenarios
»» Weighed the cost of all the technology changes that need to go into effect to remove the social security numbers vs. the risk exposure savings.
»» Determined that since the client is still capturing many other types of PII their risk exposure would only decrease by a nominal amount.
As their trusted information security and information technology provider, this healthcare sector client turned to Evolver. Evolver’s expertise in monetary risk quantification helped the client make confident technology decisions including confirming the use of a security log aggregation tool and on whether to continue storing social security numbers.
Click here to read more about the successful implementation of Monetary Cyber Risk Quantification.