It is not exactly what you want, but the CIS Controls - Risk Management Methodology (CIS RAM) is extremely innovative and has an optional Financial Worksheet tab that can be configured and the worksheet will then carry it through all other risk review.
CIS RAM v2.1 was just updated (Implementation Group 2 updates just presented, Implementation Group 3 under development (volunteers welcome)).
From from the CIS Workbench community:
"The risk register is a useful component of a vendor management program. But with the number of cloud services and the likely varying sizes and categorization of vendors, the program would need a wrapper to manage it effectively. I recommend using a vendor management toolset with an automated questionnaire approach based on the CIS-RAM risk register (individual questions) to collect responses from vendors. Alternative questionnaires."
So, I encourage anyone to look at the videos and get involved with Workbench community at CiSecurity.org.
Once you do you can access resources like "https://workbench.cisecurity.com/communities/76"
and under Files you can access CIS RAM v2.1 Core, and the Excel toolkits and Workbooks for IG1, IG2 which are currently available.
The following video from 2/8/2022 by Chris Cronin (Workshop leader, partner at HALOCK Security Labs, Chair of DoCRA (Due Care AnalysCouncil, and of course, principal author of CIS RAM and the DoCRA Standard) and hosted by Valecia Stocchetti (Sr CS Engineer for CIS Controls at Center for Internet Security).
Using CIS RAM v2.1, you can understand how you can achieve not only cost-benefit analysis, but actual define your risk appetite but put it terms of "Impact Magnitude" if your organization suffers a cybersecurity or information security incident. and based on the thresholds you set for "negligible, acceptable, unacceptable, high and catastrophic)" -- all your further decisions on whether to implement remediation on controls over time will flag if you pass one of the those thresholds and then based on risk and remediation priorities, you can elect to do the most important in 2022 and the other in 2023 so you stay with your risk appetite for negligible impact and meet your financial objectives.
Having a tool that lets you model risk, and join in the next steps that will define KRIs, quantified risk analysis and build up to a risk management program shows you that IG2 in CIS RAM v2.1 is just the icing on the cake and can help your with TPRM. Also
I really enjoyed the discussion that turned control maturity (i.e., ISO, NIST, CMMC, etc) into "Expectancy" discussion to have a basis for a 1 to 5 rating not only based on the risk of the vendor or control, but the maturity of the control in your organization. It's about 20 minutes into this webinar (the webinar on CIS RAM 2.1 for IG2 (
https://workbench.cisecurity.org/files/3706/download/4686) which I highly recommend.
All the best, Larry
This webinar covers a lot and is well worth your time to join the community, get a copy of the workbench and listen to the video.
Original Message:
Sent: 02-23-2022 04:51 PM
From: Anonymous Member
Subject: Example of what is used to do a cost benefit analysis that details qualitative and quantitative factors
This message was posted by a user wishing to remain anonymous
Do you do a cost benefit analysis on your prospective vendors and include qualitative and quantitative factors? If so, does someone have an example of what they might use? I know it would vary from vendor to vendor, but what items do you include in your cost benefit analysis? Just trying to get started with doing CBA's and need expert guidance.
Thanks,