Risk Quantification Updates v9

Prev Next

May 5th, 2025

Introduction

This article provides a comprehensive overview of the enhancements made to the Cyber Risk Quantification (Safe Scoring v9) capabilities within the SAFE platform. These updates focus on improving accuracy, granularity, and relevance in risk assessments, enabling organizations to better understand and manage their cyber risk posture.

Key Highlights of Quantification Updates

1. New Risk Domain: Gen AI Risk

  • A new risk domain, Gen AI Risk, has been introduced to address the emerging risks associated with Generative AI technologies.

  • This domain includes support for loss quantification, new attack outcomes such as Data Corruption, and initial attack methods like LLM Prompt Injection and Training Data Poisoning.

  • AI-specific CAM controls and a NIST AI RMF questionnaire have also been added.
    ALL AI SYSTME.png

2. Updates to Risk Scenarios

  • Threat Actor Consolidation: The APT threat actor has been merged with Nation State to simplify classification, as APT is considered a subset of Nation State activities. Existing APT scenarios will be migrated to Nation State.

  • New Attack Outcome:

    • Data Corruption has been added, particularly relevant to Gen AI risks, to model scenarios where data integrity is compromised.

    • Data leakage has been added to distinguish from data exfiltration in insider scenarios. This outcome models accidental exposures by insiders.

  • New Initial Attack Method: Physical Access has been introduced as a new initial attack method, and Privilege Abuse has been added for insider risk scenarios.

  • Out-of-the-Box Risks and Aggregation: The DDoS scenario has been removed from the default aggregation and replaced with System Outage, reflecting feedback on current risk priorities.
    ENHANCED RISK SCENARIO AN DCONTROLS.png

3. Control Updates - FAIR CAM

  • Cloud and Application Attack Surface Mapping: Improvements to cloud and application attack surface mapping, particularly for DDoS and WAF controls in cloud-only groups, ensure more accurate control scoping and scenario relevance.

  • Initial Attack Method (IAM) Mapping: Initial Attack Method (IAM) mapping has been updated for controls such as network segmentation, acceptable usage policies, and background verification to ensure accurate control representation for various attack vectors.

  • FAIR Alignment: Control function mappings have been synchronized with the FAIR CAM library to maintain alignment and consistency with industry standards.
    CAM.png

4. Loss Updates - FAIR MAM

  • Loss Event Detection Control: Loss event detection controls now directly contribute to FAIR MAM, improving the modeling of detection capabilities.

  • DDoS Prevention: DDoS Prevention has been added as an impact control, enhancing the representation of mitigation measures.

  • AI-Based Impact Controls: New AI-based impact controls have been introduced to address the unique challenges of AI risks.

  • Loss Driver Benchmark Updates: Benchmarks for loss drivers have been updated to reflect current industry trends and data. Updates and refinements to loss categories and drivers provide more accurate loss estimation.

  • Annualized Loss based on LEF: Annualized Loss will now be calculated based on Loss Event Frequency (LEF) instead of just Likelihood, providing a more accurate representation of potential losses.

  • Nested Financial Impact Questionnaire: A nested version of the Financial Impact Questionnaire (FIQ) has been introduced, streamlining the process by only requiring users to answer relevant questions.
    Loss Magnitude.png

5. High Impact Findings

  • The threshold for High Impact Findings has been changed to 9.75+ finding score.

  • These findings will now have an increased effect on likelihood estimation, emphasizing their critical nature.

  • Threat Intel-Informed (TI-IF) Findings have been introduced and will carry greater weight in likelihood estimations. These findings are periodically identified and released by the SAFE Threat Intelligence Team.

Impact of changes

  • Scenario Creation: Users will now have more granular options for creating scenarios related to Gen AI risks and insider threats.

  • Risk Assessment: The changes will lead to more accurate and detailed risk assessments, reflecting the evolving threat landscape and the specific risks associated with AI technologies.

  • Control Scoping: Controls will be more accurately scoped to scenarios, ensuring that relevant controls are considered in risk assessments.

  • Risk Aggregation: The change from DDoS to System Outage in default aggregation will impact aggregate risk scores.

  • Financial Impact: The updated FIQ and loss drivers will provide more precise financial impact estimations.

  • Likelihood Estimation: The increased effect of High Impact Findings will significantly impact likelihood estimation.

  • Annualized Loss: Calculation based on LEF will provide a more realistic view of potential financial losses.

How to see the changes?

  • Scenario Details: Review existing scenarios to observe changes in controls and risk scores.

  • See What Change: Use the "See What Change" feature with a specific start date to view changes in control assessments and risk estimations.

  • Control Center: Check the Control Center to see the updated control function mappings and the new AI-specific controls.

  • Group Creation: When creating a new group, explore the "AI System" attack surface option.

  • Questionnaires: Review the updated NIST AI RMF questionnaire and the nested FIQ.