The CIS Ransomware Business Impact Analysis tool estimates the likelihood of an attack, its financial impact and steps organizations can take to reduce risk.
A new tool from the Center for Internet Security (CIS) helps organizations determine the likelihood that they will face a ransomware attack in the next 12 months, the financial affect it would have and what steps they can take to be better prepared.
The Ransomware Business Impact Analysis tool has been available since May at no cost and is the result of a collaboration with Foresight Resilience Strategies, a consulting group. The tool integrates CIS Critical Security Controls Version 7.1 Implementation Group (IG) 1 Safeguards, which cover essential cyber hygiene, and the CIS Community Defense Model (CDM). That model found that IG1 Safeguards, which “should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks,” mitigate against the top four attack patterns in the 2019 Verizon Data Breach Investigations Report, including ransomware.
Organizations that have used a CIS-Hosted Controls Self Assessment Tool (CSAT) can also import scores from that into the Ransomware Business Impact Analysis tool.
“Ransomware, obviously, has been a huge problem in recent years,” said Aaron Piper, senior cybersecurity engineer for controls at CIS. “State, local, tribal and territorial government has been hit especially hard, so that’s why we focused on ransomware with the initial version of the tool.”
To estimate the likelihood of an attack, the tool applies scores for ransomware-related controls based on CIS’ Critical Security Controls Version 7.1. The more an organization has, the better protected it will be.
To determine the potential impact, users must collect data in multiple loss categories – productivity, response, replacement, legal, competitive advantage and reputation costs – and about 20 subcategories and feed that into the tool. For instance, data might be around the cost of replacing systems when ransomware hits and productivity costs when workers deal with a breach fallout rather than the work they’re supposed to do.
“By breaking it down like that, the hope is that it really is going to take that complex problem into digestible pieces so the organization can better get a picture of where they’re at and how to improve,” Piper said. “I think that the discussion that this generates across the organization is beneficial in and of itself. It gets that conversation going, it gets the organization thinking about this problem and what it might mean for their organization.”
The tool uses a mathematical model and a Monte Carlo simulation with about 10,000 versions to analyze the data, Piper said.
Users get a report with charts and graphs in addition to text explaining the findings. “One of the useful graphs, I think, is the loss-exceedance graph,” he said. “That basically is going to plot out that the likelihood of a ransomware impact of X dollar amount is Y percent likely based on the data.”
Additionally, the report flags nine key safeguards and shows how scores could hypothetically improve if changes are made to them.
“If you increased your organization’s implementation of these safeguards, then it would reduce your risk from X to Y,” Piper said. “That really helps present the case to the organization’s leadership that likelihoods and impacts are at unacceptable levels.”
Although it’s too soon to have much feedback on the tool’s usefulness, Piper views it as a step above a minimum viable product – something that, if shown to be helpful, can be built on. “One of the logical improvements down the road might be incorporating CIS Controls Version 8,” he said, which came out in May 2021. Version 7.1 came out about two years earlier.
“Sign up, take a look at it and see if it meets your needs, and definitely let us know what we can do to improve it,” Piper said.
Stephanie Kanowitz is a freelance writer based in northern Virginia.
NEXT STORY: FTC explains 'reasonable' cybersecurity