Why Quantify SaaS Risk?

Risk modelers love to ask, “what can go wrong?” 

We’re not morbid– we see risk as something to avoid. We celebrate when the cost of reducing risk is less than the potential impact of an incident. We’re overjoyed when risk is brought within the business appetite and budget. We’re ecstatic when we can find dollars and reinvest them back into the business. Still, we often find ourselves lost in the balance of overspending or under-securing, especially as digital transformation introduces new risks.  

As the world becomes more connected and online businesses rely more on each other for their vendor services, the use of software as a service (SaaS) grows as an organization’s attack surface becomes an imperative factor in the security of your digital environment. 

At Resilience, our in-house data analytics team takes a risk modeling approach called “decision analysis” to measure the impact of our client’s SaaS risk. This approach helps risk managers, CISOs, and executives observe and compare the tradeoffs of the cost, value, and risk associated with cyber management decision alternatives. 

Risk Presented by SaaS (Software as a Service) 

Organizations often share their data with various SaaS providers. Most SaaS providers, in turn, use various and sundry-related cloud services, creating an expansive risk that is challenging to manage. 

There is clearly immense value in SaaS products. We recognize the necessity of third-party vendors to continue business operations, especially for small and medium-sized organizations. However, most traditional cyber insurance providers overlook SaaS as a source of risk. Given that SaaS expansion is arguably the largest and fastest-moving form of digital transformation, the new risks posed by SaaS exposure should be considered by security teams and insurers alike. 

Consider these questions in your SaaS decision analysis:

• Is there any way your SaaS use makes a data breach more likely or subjects you to greater impact?  
• Can using more SaaS providers lead to your business disruption?  
• Could both breach and disruption frequency increase simultaneously?  

Resilience has designed a risk modeling practice that engages security, insurance, and business ideologies. Using low code graphing models, we start by capturing data surrounding what the client already knows about their business processes and risks. We then make comparisons using the data from claims, quantitative surveys, third-party research, security telemetry, and more. 

Given all this data, our models become quite large. Decision analysis allows us to tackle each piece separately, flexibly, and rapidly before building them into the final model we present to our clients. The resulting model is an easy-to-follow set of graphs that integrate multiple sources of risk and are rigorously mathematical and defensible. While we build this analysis, our customers can see what we are doing, participate in the process, and feel assured that they won’t get lost in the analytic weeds.

Managing this Risk through Decision Analysis Modeling 

We designed our SaaS risk model to consider two loss vectors. The first is the SaaS provider. What is the likelihood (and impact) of the provider having a system loss? We also consider losses caused by end-user usage. In both cases, the volume of users and the rate with which events materialized are included in the end calculation. 

Our SaaS risk model relies on data from our claims experience, quantitative surveys, and third-party research. Even with access to robust data, there remains some uncertainty about the volume of sensitive records susceptible to exposure, the frequency of data theft events, and the financial cost of addressing stolen sensitive records. Our analysis shows how much this uncertainty influences the client’s risk, helping them decide whether it’s worth the time and effort to reduce those uncertainties through more precise measurement or risk mitigation. 

Our final model provides multiple strategic options for reducing SaaS risk as it relates to both business disruption and breach. The question becomes, “which strategy is better?” 

Although we believe that anything can be measured, we don’t believe it is necessary to expend the time and resources to measure everything that could affect the strategic assessments. Therefore, we built the final step in our analysis to consider strategies as incremental extensions. 

Clients can choose between easing in with the less aggressive strategy first, testing its effectiveness and reliability given a broader set of operating requirements, and adapting the remaining portion of the most aggressive strategy as feasible to capture its option value. Or, they could go all in on the most aggressive strategy and still be able to reap the most potential reward with little additional risk to manage.

Building Resilience by Quantifying SaaS Risk 

Whichever option these organizations choose, our clients can narrow the millions of risk management possibilities down to a few feasible and financially sound options through Resilience's decision-analysis model. Quantifying our client’s overall SaaS risk has helped organize and clarify the level of risk posed by each software vendor, how to manage this risk best, and where to invest more deeply in security.  

Resilience’s Security Team provides risk modeling analysis to help risk managers, CISOs, brokers, and executives manage their cyber risk holistically from both a technical and financial perspective. Our process isn’t one-size-fits-all; we prioritize the unique threats that matter most to our clients. We model their risk against their security controls and use this data to strengthen their overall security posture. This helps them qualify for better insurance coverage and manage their SaaS risk on a deeper level. This depth of understanding client’s risk reaches the core of what we do and is key to building a cyber-resilient company. 

Liked this article? Share it with your network, and follow Resilience for more #CyberInsurance and #CyberResilience content.

About the Author

Richard Seiersen, Chief Risk Officer at Resilience.

Richard is a 20+ year security veteran with a long-standing career as a CISO for corporations such as GE, Twilio and LendingClub. As a renowned thought leader in the Cybersecurity & Risk Management space, he is extremely passionate about sharing his knowledge with industry peers. He can be spotted frequently attending and speaking at industry events like IANS and RSA. His bestselling books include: "The Metrics Manifesto: Confronting Security with Data" (2022), and "How to Measure Anything in Cybersecurity Risk" (2016).