search menu icon-carat-right cmu-wordmark

Managing Cyber Risks: Express Control Impact and Risk Analysis (ECI & RA)

Muhammad Bin Oiad, Fabio Beltran, Lucas Falivene, Sarah Sha, and Yaman Yu delivered this presentation at FloCon 2022 on January 11, 2022. Watch the video and download the slides.

Software Engineering Institute




Organizations are aiming to change how they address cyber risks, from endless frameworks, checklists, and broadly complex maturity models to a more pragmatic risk management approach. There is currently no practical framework or method to help organizations determine how to strengthen their security practices given a specific security budget and compliance requirements. Partnering with the Software Engineering Institute at Carnegie Mellon University, we devised a novel cyber risk tool that will ease CISOs life, helping them manage cyber risks. The ECI & RA method (Express Control Impact and Risk Analysis) can be applied to any organization to provide CISOs with an express control impact and concise compliance prioritization strategy. The project’s main objective is to provide a more practical and methodological approach to efficiently allocate CISOs budget, resources, investments, projects, and efforts. The ECI & RA method will also aid CISOs to effectively justify their budget allocation to executives by creating a novel synergy between several renowned frameworks. Lastly, our method will provide the organization with a clear roadmap to manage cyber risks and comply with regulations and industry standards.

The ECI & RA method combines the following frameworks and resources:

  • FAIR
  • OCTAVE Allegro
  • CMMC
  • NIST SP 800-53

Our ECI & RA method combines several techniques and strategies implemented by renowned organizations like the International Monetary Fund (IMF) Strategy and Netflix’s Risk Quant Project - both of which provide support for using log-normal distribution for impact. ECI & RA accomplishes a loss exceedance curve calculation, which is the quantitative expression of risk, that is then used to recommend a prioritized set of NIST controls in alignment with the organization’s specific needs and constraints (e.g., budget, compliance requirements). Our method possesses three main stages: Risk Appetite determination, Risk Analysis, and Risk Mitigation Optimization. Each stage contains its own unique activities to achieve an effective express control impact and risk analysis strategy.

We provide an express control impact and risk analysis method to help any organization manage their risk according to their custom-tailored appetite, budgetary constraints, compliance requirements, and cybersecurity strategy. Our project aims to guide organizations to select mission-critical controls based on renowned frameworks that consider threat capabilities, current controls, and vulnerability factors. ECI & RA will help organizations to drive their cybersecurity strategy based on risk decision-making and framework compliance, setting organizations into the path of cyber risk automation.

Attendees will learn a novel and pragmatic approach to solve the complex issues that CISOs face every day: How to manage risks while optimizing resources and investments to minimize those risks effectively? The combination of MITRE cyber kill-chain, FAIR risk quantification, and CMMC & NIST CSF maturity landscapes allows our method to aid CISOs to change their suit-it-all strategies based on rigid best practices to actually addressing their organizations risks in a custom-tailor approach. We will help cybersecurity professionals to acquire a new path to automate cyber risk and control impact management, prioritize NIST 800-53 controls to enhance mission-critical controls that address the organization main risks.


Supplemental Materials

Part of a Collection

FloCon 2022 Assets

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.