ACSIA Help Center

Quantitative Risk Analysis

Nadia Riccardi
Nadia Riccardi
  • Updated

This article dives into the details of the new Quantitative Risk Analysis (QRA) feature of ACSIA CRA. It uses data and statistical methods to assess the likelihood and potential financial impact of a ransomware attack.

To access the section you need to select "Risk" in the menu on the left.


What is Ransomware?

Ransomware is a malicious software that encrypts a victim's data, making it inaccessible. Attackers then demand a ransom, typically in cryptocurrency, to unlock the data.

The calculation of the risk exposure is a quantitative, not qualitative, analysis. This means that it does not take into account the type of attacker, the skill of the SOC, or the fame of a particular attacker. It also does not consider whether the attacker is a known APT group.

Your Ransomware Risk Exposure

ACSIA CRA new feature estimates your company's potential financial losses from a ransomware attack.

The badge on the right shows the annual cost of a ransomware attack (i.e. the amount of money that the company should put in their budget annually to face this type of attack, based on the frequency of the event that was calculated).

The calculation is performed through a simulation using the FAIR (Factor Analysis of Information Risk) framework, which estimates the minimum, expected value, and maximum monetary value that should be budgeted each year to address this type of risk.
Additionally, the expected frequency for such an attack is estimated.


The UI also shows a breakdown of the costs:

  • Minimum Expected Cost
  • Average Expected Cost
  • Maximum Expected Cost

This highlights the potential range of financial damage, emphasizing the importance of taking proactive measures.

Loss Magnitude and Loss Event Frequency

  • The Loss Magnitude estimates the total expenses expected in the event of a single RANSOMWARE-type incident, calculated through simulations considering both primary and secondary costs that have been previously entered or computed.
    The Loss Magnitude does not directly sum up the estimated costs of its components; instead, it is derived from the PERT distributions based on the minimum, most likely and maximum values of its components. 
  • The Loss Event Frequency estimates the frequency of occurrences of events that result in losses for the company.
    The calculation considers the frequency of attempted attacks on the company, the skill level of threat actors and the resistance of the company's Attack Perimeter against such scenarios.


Breakdown of Potential Costs

The Estimated Cost considers various factors:

  • Primary Costs (Quantitative):
    • Recovery Cost: Expenses incurred to respond and recover from the attack (e.g., IT staff time, data restoration).
    • Business Interruption: Lost revenue due to downtime caused by the attack.
    • Ransom Payment: Includes direct costs related to ransomware attacks, such as ransom payments.
  • Secondary Costs (Qualitative):
    • Post Breach Security Improvements: Costs associated with additional security measures implemented after an attack.

The platform provides ranges for each cost type, giving you a clear picture of the potential financial burden. Each one is represented as minimum, most likely, and maximum values of a PERT distribution.


Visualizing Risk Distribution

The platform uses graphs to illustrate the likelihood of different loss scenarios:

  • Risk Distribution Curve: This graph shows the probability of experiencing different financial losses. The higher the Y-axis value, the more likely that specific loss amount will occur.
  • Loss Exceedance Curve: This graph displays the probability of exceeding a certain loss threshold. It helps visualize the chances of incurring significant financial losses.

These visualizations allow you to understand the potential impact of a ransomware attack on your business.


Understanding the Underlying Calculations

The "Calculation dependency tree" section breaks down the factors contributing to the overall risk score:

  • Risk: The probable frequency and probable magnitude of future loss
  • Loss Event Frequency: The frequency, within a given timeframe, that loss is expected to occur.
  • Loss Magnitude: The potential financial impact of a successful attack.
  • Threat Event Frequency: The frequency, within a given timeframe, that threat agents are expected to act in a manner that could result in loss
  • Vulnerability: The probability that a threat event will become a loss event.
  • Primary Loss: The estimated financial losses from data recovery, business interruption, and potential ransom payment.
  • Secondary Risk: Additional costs associated with post-attack security improvements.

By examining these factors, you can identify areas where your risk profile can be improved.


Risk Customization

In this section users can personalize specific company data through a series of questions.
Therefore risk estimates can be tailored to your organization's unique profile for more accurate insights.

Click on "Go to questions"


Fill out the questions: 


Then save the questionnaire responses and request Risk Recalculation.

Scenario Analysis: Focusing on Pure Ransomware

This section focuses solely on data encryption, excluding data exfiltration, to provide a clearer picture of the core ransomware threat. It also details the:

  • Assets: Data at risk during the attack.
  • Threat: The nature of ransomware and its impact.
  • Threat Actors: Common ransomware groups and their motivations.
  • Tactics, Techniques, and Procedures (TTPs): How attackers typically deploy ransomware (e.g., phishing emails, exploiting vulnerabilities).

Understanding these elements helps you develop targeted mitigation strategies.

FAIR Methodology: Our platform employs FAIR's structured approach to break down risk factors into quantifiable elements.