Our framework for modeling cyber risk
P-RMOD4Cyber uses the math of probability, the same advanced methods used in epidemiology, finance, and nuclear safety testing. It's fully compliant with Factor Analysis of Information Risk (FAIR) and other frameworks including NIST, ISACA and ISO.
We’ve simplified the process into easy-to-understand and use models in an Excel workbook. Each model can be used independently to answer a single question, or in combinations for more advanced analysis. The workbook includes several advanced models in the workbook for table-top exercises, attack analysis, compliance analysis, scenario planning, strategic forecasting, and impacts analysis. Models run 1,000 simulations each, instantly.
Vulnerability Tracking: This model is a P-RMOD4Cyber component. This is actually more of a tool than a model. Its purpose is to assist you in identifying vulnerabilities hackers are most likely to exploit in your network. It accomplishes this by custom tagging your vulnerability data. It is suitable for preparing data and charts for reports or presentations. It is designed to help you prioritize your remediation efforts. This tool allows you to measurably reduce your attack surface. In our opinion, no vulnerability management program should be without a tool like this. Even if you have an enterprise scanning tool, unless you have extensively customized it you won’t get the level of analysis this tool provides.
Attack Analysis: This model is a P-RMOD4Cyber component. This model views risk from the attack process and allows you to evaluate and estimate your risk at each stage. Simple to use yet powerful. Can be used in combination with other attack models including MITRE ATT&CK.
Modeling Organizational Risk: This model is a P-RMOD4Cyber component. It is designed for any organization to analyze any type of organizational risk. The model is pre-populated for use in assessing Supply Chain Risk, but it is very easy to edit so that any organizational risk can be evaluated.
Modeling Risk With Table-Top Exercises: These models are P-RMOD4Cyber components. They are simple, flexible, and powerful. They can be applied to any risk you want to model. You can consider up to 5 factors. They help you transition from qualitative to quantitative methods supporting the transition from labels such as Very High to quantitative values. Use them in conjunction with any table-top exercises for reviewing processes or events.
Industry Attack Model: This model is a P-RMOD4Cyber component. This model makes it easy to quantify the risk of any current or top industry attack. This model takes a holistic approach to evaluate risk. Policies, procedures, controls, and weaknesses are all contributing factors to your risk score. This model makes it easy to develop a follow-on improvement plan
Risk-2-Appetite Register: This model is a P-RMOD4Cyber component. This model is a necessity for any risk management program. Fully compliant with current NIST guidance this model supports the quantitative evaluation of risk within the risk register.
Compliance Risk Analysis: This model is a P-RMOD4Cyber component. The NIST Cybersecurity Framework was designed to help organizations build resilience in their security practices by viewing them through the lens of the incident response lifecycle. It also makes a perfect model for risk. This model allows you to evaluate your security practices quantifying the risk. We believe it’s the missing piece as it takes you beyond the compliance aspect and into a truly risk-informed approach.