In this support page you will gain an overview of X-Analytics results and how to understand and use them effectively.
In additional support pages we will drill down into different areas of data more granularly and discuss intent and use more specifically.
The Report Center gives ready to use analytics and loss estimates, but what do they mean?
First, users will have to navigate to the Report Center by using the tool bar on the left side of the page. Once clicked, it will automatically bring the user to the Cyber Risk Summary tab.
Cyber Risk Summary
Inside the Cyber Risk Summary, the first thing that pops out is the profile’s unaddressed cyber exposure. The unaddressed cyber exposure is a calculated estimated value amongst a range of possible exposures informed by historical losses within an industry peer group and key business variables. It then gets broken down into 4 loss categories: Data Breach, Interruption, Ransomware, and Misappropriation. For definitions on loss categories, please see here.
To put unaddressed cyber exposure into perspective, on the right side of the dashboard is the loss ratio of the profile. Loss ratio is the unaddressed cyber exposure divided by the profile’s revenue, which creates a benchmark in understanding what cyber risk means to the organization. Cyber risk can then be deemed as low, medium, or high risk based on where loss ratio falls under the organization’s risk appetite. These thresholds can be set inside the profile center.
Feature: You can download or print a report of Cyber Risk Summary by clicking on the "Download PDF Report" icon at the top right of the dashboard.
Feature: You can take a note to give internal context to the dashboard results or communicate with other reviewing the data by clicking the "Notes" icon at the top right of page. This feature exist throughout the X-Analytics dashboards wherever you see the below icon.
Trending and Risk Scenarios
Unaddressed cyber exposure also gets tracked on a monthly basis and a snapshot of current exposure is taking at the end of every month.
To the bottom left of the dashboard is the top 5 risk scenarios that lead to financial loss. There are over 110 risk scenarios that look each threat category for different assets in the organization, this quick snippet shows the 5 that have the highest risk. (To see all 110 risk scenarios, please go to the ‘Cyber Risk Details’ tab inside the report center).
On the bottom right is the top 5 control areas to reduce financial exposure. These are CIS CSC controls, to see the full list please go to the ‘Control Framework’ tab inside the Report Center. Within the Control Framework dashboard you will be able to toggle between applicable frameworks to view ROI and prioritization.
Control Frameworks
X-Analytics currently covers three different control frameworks: NIST CSF, CIS CSC, and our own Foundational Controls. After inputting any of the three frameworks into the profile center, there will be an assessment of the control data inside the ‘Control Framework’ tab.
The dashboard shows the organization’s current NIST CSF alignment, their unaddressed cyber exposure and their current NIST CSF tier at the top.
The bottom left shows each NIST category and their respective implementation value to 100%, along with their max loss improvement. The max loss improvement is the total potential reduction in cyber exposure if a control category reaches full implementation.
For example: If Access Control (PR.AC) were to reach 100% implementation, unaddressed cyber exposure would be reduced by $6 million).
Similarly to the NIST CSF category breakdown, X-A also shows implementation value and
max loss improvements for NIST CSF functions.
Special Note: if multiple frameworks are inputted into the profile, where there is overlap between frameworks, X-Analytics will use the best score provided in calculating cyber exposure. The Control Framework tab will show the implementation values that were provided for that framework; however the max loss improvement will consider other control scores from the other frameworks that were answered.
Feature: You can download or print a report of Cyber Risk Summary by clicking on the "Download PDF Report" icon at the top right of the dashboard.
Mitigation Simulator
The mitigation simulator is a tool inside the X-Analytics platform that allows the forecasting of different control implementation states and their effect on cyber exposure. There is also an option to enter in an estimated cost of mitigation and the simulator will return an ROI based on the new implementation state.
By looking at the above example, four different NIST CSF categories were selected and given improved what-if implementation states. If those implementation values were achieved cyber exposure would decrease by $1.3m (What-if Benefit). The estimated cost was $500k leaving a positive return on investment with a ratio of 152.5%.
This is the perfect tool for CISOs to plan current and future projects and make effective decisions in addressing cyber risk.
Risk Transfer Analyzer
The Risk Transfer Analyzer allows users to go get a deeper grasp of the organization’s cyber policy and see its effectiveness between loss categories and their different severities.
By looking at the above Risk Transfer Financial Simulator, users can select a loss category and the severity of the event. The simulator will then show the total estimated impact of the event, the estimated amount covered by insurance, and the revised impact. It then also shows the probability of this event happening.
Furthermore, X-Analytics will show the breakdown of cyber exposure adjusted after insurance for all loss categories. The ‘Estimated Difference’ is the benefit being received from cyber insurance along with the percentage of exposure that is being transferred.
By tabbing over to the right, users can enter the Risk Transfer Simulator. This is a tool that provides a lot of value to organizations in the insurance renewal period. Users will have their current policy on the left and can enter a simulated value for a potential new policy on the right, creating a comparison between the two.
As seen to the right the two policies have different effects on cyber exposure. The Est. Total Cost of Cyber Risk adds together the organizations cyber security budget, cyber exposure and insurance premium, then subtracts the insurance benefit to create an estimated total cost of cyber. In the above example, it could be seen that the new simulated policy has a lower estimated cost of cyber risk, proving to be a more beneficial policy to the organization.
Cyber Impact Estimator
Inside the toolbox of X-Analytics, there is the Cyber Impact Estimator which measures the financial impact of specific for each loss category.
There is a drop down box in each category to select the severity of each event. Once the severity is selected, it shows the financial impact of the event on a range along with the probability of that event happening. The range is based on the loss curve where different points are selected and snapshotted: Low (10th percentile), Median (50th percentile), High (90th percentile), and Worst-case (97 percentile).
By clicking through the tabs at the top, users can select a loss category and see a graphic representation of different events, their probabilities, and both their insured and uninsured impacts.
Comments