Community
Security and Compliance Blog Posts
Security & compliance of business operations are critical in this age of rising cyber threats, increasing compliance regulations, and rapid technological change. SAP customers, partners and SAP employees put great effort in to meet those risks and work towards effective security outcomes and cyber resilient systems. We benefit from each others' challenges and successes to protect the business processes and services we all depend on. Join us here for blog posts and thought leadership regarding the security and compliance of SAP software and cloud services, as well as secure development, deployment, and operational practices, whether on-premise or cloud.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

More Effective Security Programs Through Security Risk Quantification

JayThvV
Product and Topic Expert
Product and Topic Expert
‎2026 Jan 27 9:00 AM
2,146

quantitiative-risk-management-communication.jpg

 By Josh Marker, Head of Security Risk Management,  and Jay Thoden van Velzen, Technical Advisor, Office of the CSO

 

Security Risks, Enterprise Risks, and Business Priorities

This year has seen a further rise in cyber threats with increasing business impact. Just in recent months, cyber attacks have disrupted retail chains, air travel and beer production, and an entire supply chain in the automotive industry requiring government support. Managing security risks well is more critical than ever to organizations.

From our conversations with customers and partners, we know that business leaders are concerned about security and compliance risks. We also know that many security leaders still struggle to communicate security risks, and, given the current climate, face challenges to justify investment when organizations are looking to cut cost and run more efficiently. Both sides are familiar and comfortable with uncertainty and balancing their respective risks. Business leaders set out strategic directions they bet the success of the company on, by opening new markets, launching new product lines, or investing in new technologies where despite good execution external factors outside of their control may determine the outcome. Security leaders similarly chart out strategies and uplift programs they anticipate will best defend their organizations against unpredictable and ever evolving threats. The remaining challenge to action appears to be miscommunication and misalignment.

For effective communication and decision on the appropriate response, we need to translate security risks into business terms, and in ways that they can be related and prioritized alongside enterprise risks and business priorities. At SAP, we have found that a quantitative security risk approach, based on the methodology of the FAIR Institute, is very helpful in providing that, as well as hold the organization to account driving change and effective progress through measurable accountability.

 

Risk Identification, Analysis and Response

Every risk analysis involves some combination of probability x impact. The problem is that calculating either is very difficult. There is in cybersecurity in general a lack of good data, but organizations struggle even more to estimate to probability of a particular event to occur in their own landscape – especially if a new threat hasn’t happened yet. Impact is similarly difficult to estimate, as that depends in large part on the intent and actions of the adversary. This forces you to shoehorn more likely but lower impact events together with low probability but catastrophic potential outcomes.

The common “rainbow” risk matrix is a poor communicator for this. Even when category ranges are appropriately chosen, and position of the risk on the matrix is justified, it gives an inappropriately definite and reductive answer that allows risks to both be under- and overrated. It doesn’t tell the whole story and therefore is often not a useful communication device to convince others – especially those outside cybersecurity and business leaders - investment or action is required.

Risk Identification and Analysis with a Quantitative Approach

To better express this larger story, we need an approach that expresses risk in financial terms. It also needs to allow for uncertainty in the world. And it should account for inputs that are sometimes educated guesses.

In SAP, during risk identification, we try to capture as many parameters as possible for which we can reasonably find information or can make informed guesses on based on threat intelligence data and landscape scans of the likelihood the threat materializes in a given year. Subject matter experts (SMEs) provide the information, when can be expressed in a range – avoiding the conversation falling in “it depends” traps.

“Defenders have to be right all the time, attackers only once”, is a common theme in cybersecurity. The reality is that attackers usually require multiple steps to succeed before they reach any data and system with high business impact, giving defenders multiple opportunities to put obstacles in their way, or detect and contain them. Attackers can be extremely lucky, by obtaining credentials of exactly the right privileged administrator, but more likely they follow a longer path of initial access, persistence, privilege escalation and lateral movement. By allowing the domain experts to express a range of scenarios and consequences for these parameters, supported by data available, we get a far more nuanced understanding of the risk.

Core input for impact is based on direct financial loss in case the risk materializes, to keep the financial calculation conservative and avoid exaggerating a risk. It’s always easier to present your case when able to say other less tangible downstream consequences are not included in the analysis, and the impact could be higher.

To make sense of the data ranges in the parameters, we use machine learning and run 50,000 Monte Carlo simulations to create a model for the risk scenario. This results in a dataset that is sorted by probability and impact and plotted on a graph. A curve is drawn through the data points, resulting in the Loss Exceedance Curve. This curve and the analysis that led to that is reviewed with the SMEs to validate if they agree and accept the results.

image (5).pngBy following the curve from the top left to the bottom right, we can see what loss we can expect with what probability. In this example, the curve starts with a steep slope, indicating that a certain percentage of cases where the risk is manifested the impact is low. After that, the curve flattens out and ends with a long tail indicating rare but catastrophic cases. The way to read this is to find a probability along the vertical axis, for example 5%, then trace a horizontal line from that value until it intersects with the Loss Exceedance Curve. Follow a vertical line down from that intersection point to find the value along the horizontal axis, so in this case there is a 5% chance to exceed $126.4M in loss (in any given year, from this scenario). An average and 90th percentile financial impact is provided as an easy to remember label used in conversations, but always with the understanding of the curve behind it.

By updating the values of model parameters, we can express how planned remediations effect the financial risk by running the same Monte Carlo simulations to produce a Loss Exceedance Curve for the risk after remediations. That provides a projection of risk reduction for any investment or effort required. The model for the risk can also be rerun when new information emerges – internally or externally – that requires updating the parameters.

 

Loss Exceedance Curve as Communication Device

The Loss Exceedance Curve is very useful for security leaders to better understand their organization’s security risks, and how proposed remediations reduce that risk and what risk remains after any mitigations have been deployed and operationalized. This can be a sobering exercise if the investment to remediate is too close to the risk and projected risk reduction, forcing you to reevaluate your approach. On the other hand, it can also provide strong justification for that investment if it is only a fraction of the risk and risk reduction that would deliver.

But it works also well with business- and executive leaders. The narrative can be entirely expressed in likelihood and impact in financial terms, while avoiding complexity. The conversation takes place without cyber security jargon, aside from terms business leaders are bound to be familiar with from business reports, such as ransomware attacks and social engineering. It allows business leaders to evaluate security risks better and decide what scenarios they want to protect against and whether they consider the needed effort or investment justified. At times, even a small probability of a catastrophic outcome can lead to a business decision to address a low average risk threat. In other cases, the same business leaders can be more comfortable to accept a reasonable residual risk at a higher probability. Meanwhile, there is no need to go into technical details and explain how such threats would materialize that could derail the discussion, unless a business leader specifically requests it.

When business leaders challenge the impact parameters, the model can be adjusted with more accurate information and the simulations rerun. Since business leaders typically own risks – security or enterprise – it is just as important that they stand behind the inputs into the model as the security and compliance SMEs. The balance between risk reduction and remediation cost along the curve further helps justification for investment of financial and human resources. If most of the risk can be addressed with a minor investment, this can set the upper limit of what is feasible. On the other hand, the long tail of the curve can justify a greater investment to limit the likelihood and impact of catastrophic events.

Allowing both sides to debate the risk through the Loss Exceedance Curve and follow its slope, it serves as an excellent communication device. It helps security and business leaders to get on the same page and express complex scenarios in a way both can understand and relate to.

 

Investment Prioritization and Optimization

The quantification of security risks enables prioritization among them and see where there may be overlaps in mitigation strategies. The remediation plan for one risk is likely to have positive impact on other risks in a layered defense approach. For instance, stronger automated network controls are likely to have a positive impact on the reachability of known vulnerabilities, beyond their immediate intent to protect the network. Such remediations should be prioritized.

Other risks can prove not to have much business impact at all in relation to others. Security professionals and business leaders are prone to overreaction when certain threats hit the media – whether through security conferences or business press – and overvalue the importance of a threat. Risk quantification assists in prioritizing what is important and avoids chasing ghosts while greater immediate risks remain. This way, constrained budgets can be optimized for greater effectiveness in risk reduction.

 

Security Program Governance

The effects are even greater when the risk analysis and response tracking are tied to data than indicates progress along the remediation plan. For instance, the percentage compliance of the landscape with security policies, or how well a team meets remediation target timelines for alerts from landscape scans, or how fast a team adopts a central service can be directly tied to model parameters. That way the model can be rerun with updated parameters as remediation plans progress to show how much risk has been reduced for the effort and how well the organization is progressing on the planned timeline.

The Loss Exceedance Curve aids in target setting, as well. It protects us against unrealistic expectations of targets that can’t be achieved or require high effort to squeeze out a bit more risk reduction. At the same time, it prevents organizations from setting targets too low, because it believes that is what the available resources can achieve. The Loss Exceedance Curve shows at what percentage of remediation of the threat the residual risk falls to an acceptable level. That level is the target to achieve.

 

Summary

The Loss Exceedance Curve helps express the uncertainty that we find in the world: ranges of values are used for inputs which means that variations in outputs need to be expressed. The Loss Exceedance Curve helps us do that, enabling better conversations among various stakeholders, including SMEs who live and breathe the cyber jargon, as well as the managers and business leaders who make decisions that govern and guide the organization.

This approach leads to truly risk-informed decisions and prioritization, rather than what feels good, what cyber textbooks tell us, what vendors sell, or what was exciting at the latest security conference.

 

More Information

For more information, please see: