A new tool from the Center for Internet Security aims to help businesses calculate the potential risks and costs of ransomware attacks, which in turn would assist executives and corporate boards in making decisions on cybersecurity investments.
“The CIS CSAT Ransomware Business Impact Analysis tool helps organizations better understand how likely a ransomware attack might be for their organization, and how impactful it might be if the organization were to suffer a ransomware attack,” CIS said in a Tuesday blog post.
“The reporting from the tool can be used to enhance the discussion on ransomware risk at an enterprise level, ultimately enabling organizations to better invest in protection against these attacks,” according to CIS.
The center is a nonprofit focused on assisting “under-served and under-resourced” entities, and home to the CIS Controls and CIS Benchmarks.
“It's no secret that the increase in ransomware attacks poses a critical threat to business operations. These threats are also making it increasingly difficult for businesses to find adequate and affordable cyber insurance coverage. As a result, enterprise leaders around the world have tasked information security leaders with connecting cyber risk to business risk and quantifying the impact,” CIS said.
The group explained that CIS “and Foresight Resilience Strategies (4RS) – a consulting group known for building tools that quantify information risk in financial terms – have worked together to solve this issue. This collaboration has resulted in the CIS Controls Self Assessment Tool (CIS CSAT) Ransomware Business Impact Analysis tool. The tool helps organizations of all sizes conduct a rapid and inexpensive cyber risk self-assessment and present those findings in language that speaks to business executives.”
According to CIS, the tool will help users “characterize and forecast the business impact of a ransomware incident should one occur; estimate the likelihood of a loss event in the coming 12 months based on their implementation of the Controls; calculate the financial risk of an incident based on measures of impact and likelihood; make risk-informed decisions about their information security; better engage non-technical stakeholders in cyber risk management efforts; [and] prioritize efforts and effectively allocate resources.”
CIS said the tool is for cyber professionals, “financial and operational business leads,” board members and stakeholders “at all management levels.”
Along similar lines, NIST this week released a draft report discussing ways to use business impact analyses to establish priorities in addressing cybersecurity risks. – Charlie Mitchell (cmitchell@iwpnews.com)