Release Notes - Aug 2023

New Features and Enhancements   (SAFE Version 3.2.59) 

Release Date:  August 2023

1.  NIST CSF Questionnaire in SAFE

We are excited to present a new feature, the NIST CSF Questionnaire, that streamlines risk assessment in SAFE. This feature enables you to upload your existing NIST CSF Assessment results in SAFE so that the risk scenarios in SAFE account for it in the Breach Likelihood quantification.

Key Highlights:

• Incorporating NIST CSF v1.1: Our latest update integrates NIST CSF version 1.1, ensuring that your risk assessment aligns with the latest industry standards.
• Enhanced Insights and Breach Likelihood: By submitting your current NIST CSF assessment to SAFE, you will have the Prioritized Actionable Insights and Breach Likelihood based on your input.
• Multiple Assessment Paths: You now have three distinct methods to assess the NIST CSF Questionnaire within SAFE:
  • Assess questions on the SAFE UI: On the NIST CSF page, choose an appropriate option from the dropdown list in the "Control Option" column corresponding to each question. The system auto-saves your answers.
  • Upload the NISF CSF Questionnaire in CSV: Clicking the Upload button available on the NIST CSF page, you can download the Template in CSV or Excel format. Refer to the Assessment Instructions and Upload Instructions, and choose an appropriate answer in the "Option" column corresponding to each question before uploading it into SAFE. 
  • Upload the NISF CSF Questionnaires using SAFE APIs: SAFE offers REST APIs to upload the NISF CSF Questionnaires assessment data in SAFE. Refer to SAFE APIs.

2. Introducing the Financial Impact Questionnaire in SAFE

We are introducing the Financial Impact Questionnaire in SAFE, a comprehensive set of 25 questions derived from various control groups, including regulations, PII records, revenue, biometrics, and impact control. To ensure easy access and efficient assessment, we have added the Financial Impact Questionnaire to the Questionnaire Profile page, which allows you to review and respond conveniently. Just follow the Assessment Instructions we provide to make using it even easier.

3. Interactive Cost Model (ICMv2) 

We are excited to announce the release of the improved version of ICM, which brings significant enhancements to our interactive cost modeling tool for cyber risk scenarios. This version empowers organizations to gain deeper insights into potential financial impacts from breaches and customize risk analysis. Here are the key highlights and improvements.

Highlights

• Redesigned with MECE Principle: ICM has been restructured using the Mutually Exclusive and Comprehensively Exhaustive (MECE) principle, enhancing clarity and avoiding repetition in attack cost calculations.
• Hierarchical Model Framework: The model's framework hierarchy has been redefined, it now has better alignment to cyber insurance coverage categories.
• Enhanced Financial Impact Questionnaire: A new questionnaire with 20+ questions has been introduced to generate EFI values with varying levels of confidence.
• Geographical Accuracy: Improved geographical accuracy through new logic and targeted questions in the Financial Impact Questionnaire. Geographical specificity can now be achieved by tuning cost-per-hour benchmark driver values.
• Simplified Class Action Lawsuit Logic: The logic for building "class action record-holder lawsuit" claims has been simplified, making it easier to identify applicable record-holders and associated costs.
• Streamlined PII Record Holders Calculation: The calculation of compromised PII record-holders has been simplified to two categories - Sensitive PII and PCI, accommodating different cyber risk scenarios.
• Added Tunable Cost Drivers: Each impact control now features tunable cost drivers in relevant cost categories, enhancing customization and accuracy.
• New Categories and Subcategories: Introduced Customer Notification category with subcategories, PCI-DSS Liability category, biometric class action settlement category, and more, providing a comprehensive analysis.
• Enhanced Legal Cost Calculation: Refined forensic and legal cost calculation with multiple drivers, benchmark values, and categorizations for improved accuracy.
• Flexible Third-Party Liability Viewing: Ability to view class action litigation and "Claims Expenses - Attorneys' Fees + Discovery" before or after likelihood, enhancing third-party liability cost analysis. 

4. New SAFE Scoring v6

We are excited to announce the latest update to our scoring system, aimed at enhancing accuracy and relevance in assessing security controls. This release brings significant changes aligned with industry standards and risk profiles of organizations. 

Here's what's new:

• Prioritization Enhancements: We have refined our prioritization process for vulnerabilities. While we previously relied on CVSS scores and applicable MITRE ATT&CK techniques, we have now introduced an additional factor, Highly Exploitable Vulnerabilities. This new factor is a reflection of CVEs reported as CISA Known Exploited Vulnerabilities, further enhancing vulnerability assessment.
  (Impacts the SAFE Score)
• Evolved Vulnerability Scoring: In the past, the impact of vulnerabilities was disproportionately negative, with a single vulnerable asset affecting the overall score. With this update, we have introduced a more nuanced approach. The impact on breach likelihood is now scaled based on the total number of assets associated with the risk scenario.
  (Positive impact on the SAFE Score)
• Enhanced Outside-In and Third-Party Scoring: Our scoring methodology for Outside-In and Third-Party assessments has been revamped to align with MITRE ATT&CK principles. Additionally, we have fine-tuned the severity assessment of Outside-In controls based on the latest risk trends. A comprehensive total of 37 Techniques are now mapped to outside-in controls.
  (Impacts the SAFE Score)
• Industry Benchmark Calibration: We have updated our industry benchmark calculations based on rigorous empirical research. This includes the analysis of the Veris - DBIR database, cybersecurity research reports, and insights from cyber insurer claim reports. The updated benchmarks reflect the improved threat landscape up to December 2022.
  (Positive impact on the SAFE Score)
• Breach Likelihood Scaling: Our approach to breach likelihood scaling has evolved. Previously, the scoring exhibited a rapid decrease with control failures and slow improvement upon control fixes. Now, we have adopted a more balanced risk management approach. Companies with exemplary security controls tend towards the 90th industry percentile, while those with weaker controls tend towards the 10th percentile.
  (Positive impact on the SAFE Score)
• Refined Handling of 'Not Assessed' and 'Accepted Failed' Controls: Controls marked as 'Not Assessed' are no longer considered for scoring, eliminating any associated penalties. For controls designated as 'Accepted Failed,' a reward of 75% is now issued, reflecting the acknowledgment of residual risk.
  (Positive impact if you have many ‘Not assessed’ controls and Negative impact if you have many ‘Accepted Failed’ controls)