In Minnesota, IT leaders are revolutionizing their approach by quantifying cyber risk in financial terms, enabling more informed decision-making across state agencies.
Instead of relying on subjective terms like “high-risk” or “medium-risk,” Minnesota IT Services (MNIT) now will communicate with agency leaders using concrete figures, such as “million-dollar risk,” to quantify the impact of different technology investments and budget cuts.
This transformation is part of the state’s implementation of a cyber risk quantification (CRQ) tool, RiskLens, which aims to better protect Minnesotans’ personal data and keep essential public services up and running.
RiskLens uses an algorithm to evaluate cybersecurity risks, assigning a dollar amount to the potential financial impact of cyber threats. The tool uses the Factor Analysis of Information Risk (FAIR) model to translate cybersecurity investments into business and financial language, enhancing data-driven security decisions.
“It’s a better conversation to have with numbers, versus saying it’s ‘high risk’ or it’s a ‘medium risk.’ That’s too subjective,” said Chris Luhman, the information security director at MNIT. “With FAIR, we have that quantitative, and we’re talking about the probability and likelihood of something happening with real numbers.”
FROM SUBJECTIVITY TO DATA-DRIVEN DECISIONS
To launch the CRQ tool, the state initiated a one-year trial with 20 of its approximately 90 executive-level agencies, prioritizing those with greater cybersecurity risk and larger IT staff. The goal was to shift from subjective risk assessments to data-driven decision-making.
The strategy was in part to empower non-experts to understand the financial impact of cybersecurity decisions. By using “what-if” scenarios, agency leaders could clearly see how different safeguards and system upgrades would affect their bottom line, making it easier to justify investments and prioritize resources.
Regular feedback sessions during the trial revealed that improvements in data collection and quality were crucial before a new cybersecurity language could be fully implemented. This involved training staff, standardizing data entry protocols and creating centralized data repositories.
Luhman explained that tackling the problem meant focusing on streamlining data definitions and the type of risk each agency carried due to the data they held, and enhancing metadata to allow for ease of sorting and better understanding about the kinds of regulations that applied to certain data, such as personally identifiable information.
An enterprise application portfolio management tool was used to make data consistent across agencies by adding data categorization, data types and the number of users who had access to that data.
WHAT WERE THE TRIAL RESULTS?
The initial one-year trial, with an investment of approximately $250,000, earned what MNIT described as “overwhelmingly positive feedback” from participating agencies. The CRQ tool proved to be a valuable asset in demonstrating the return on security investment.
“The business areas really liked it because they can start to understand if it’s a half-million-dollar risk, or a million-dollar risk, versus the IT security person showing up and saying, ‘It’s a moderate risk, or it’s high risk,’” said Luhman. “As humans, we don’t all have the same definition of risk — what’s high risk to me may not be high risk to you. [We’re] getting something else that we can agree on, getting something that’s more quantitative and [getting] some numbers in there.”
One success story Luhman pointed out was that an agency was able to use CRQ to help justify why implementing a web application firewall could bring overall risk down, using dollars and cents language.
“They could say, ‘Oh that was a good investment, we’re glad we did that,’” he said.
He also mentioned how CRQ helped another agency quantify the risk reduction achieved by implementing multifactor authentication, cutting the risk of compromised accounts in half.
“That’s powerful stuff,” he said.
THE FUTURE OF CRQ IN MINNESOTA
As the CRQ rolls out to the remaining state agencies, state employees will now conduct the assessments, taking over from the vendor who managed the initial trial.
Luhman acknowledges that CRQ assessments can be labor-intensive. The long-term goal is to automate aspects of the process, though he anticipates this will take a couple more years.
The state aims to track the data collected from CRQ assessments and ultimately see a decline in the overall cyber risk quantified in financial terms.
“Can we show that trendline? That would be one thing I’m paying attention to and want to measure,” said Luhman. “Another is, ‘Are we making sound investments?’ When we go to the Legislature, we go to our partner agencies and show them, ‘Hey, you have this situation? Here’s the data. Here’s the outstanding risk, here are some solutions that may resolve that.’”
