Effective risk modeling plays a huge role in the successful development of a third-party risk management program (TPRM). And a big part of that is deciding which data inputs will comprise the model.

As organizations seek to reduce cybersecurity risk exposure from their vendor relationships, they're never going to get unrestricted views into what's going on within their third parties' environments. That means they need to choose prescient indicators from what *is* visible to predict cyber risk postures. Ideally, the information fed into the third-party risk model should be able to help:

  • offer clues about the riskiest situations present in the vendor portfolio,
  • most accurately answer the question, "How risky is this vendor relative to others?" and
  • assign controls requirements to specific groups of vendors.

RiskRecon recently worked with Cyentia Institute to systematically explore the effectiveness of different risk models in predicting third-party cyber risk postures. In the report From Uncertainty to Understanding, Cyentia data scientists detailed how the following very basic models fall short of accomplishing those goals.

Industry-Only

While our body of joint research with Cyentia demonstrates that industries have different risk surfaces in the aggregate, TPRM managers shouldn't let that entice them to create risk categories based only on the industry in which the vendor operates.

First of all, a model like this is not very logistically sustainable. After all, vendor management offices must deal with vendors from a wide range of industries to support all the different parts of their business operations. TPRM practitioners can't feasibly ask the business to trade out a hospitality vendor with a financial industry vendor just because finance companies are traditionally better at security. Ultimately, a company doesn't want a bank serving tater tots in the cafeteria.

But even beyond that—say the business is using this model to determine controls requirements for different buckets of vendors—industry-only data still makes for a weak risk model because it simply doesn't produce very accurate predictions. According to Cyentia's calculations in the report, this model only explains about 2.8% of what determines an individual firm's risk posture.

 

Basic Firmographics

So, what if a TPRM practitioner decides to layer in some additional basic information about an organization on top of the industry it works within? The next model, basic firmographics, uses data about a third-party's industry, organization size, and primary country of operation. This information is readily available before any kind of technical assessment, and it can be pulled in on a large scale by services like Dun & Bradstreet and Hoovers. But Cyentia analysis shows that TPRM managers shouldn't let the ease of gathering this model's data tempt them to make risk decisions using it by itself.

If the industry-only model has a 1.0x explanatory power for providing insight into cyber risk, Cyentia's analysis shows that basic firmographics barely ups the ante to about 1.7x explanatory power. Firmographic information by itself can only explain less than five percent of the variation in a firm's risk posture, according to our recent report.

Internet Infrastructure

Sliding a tiny notch up the fidelity scale, let's talk about the internet infrastructure risk model. In this case, a TPRM manager utilizes firmographics and also adds in simple information about the vendor's Internet-facing digital footprint. This includes the percentage of cloud assets that make up the organization's infrastructure, the number of countries where an organization has hosts, and the density of high-value hosts in an organization's external surface.

Cyentia shows here that while the internet infrastructure model shifts around some risk variables a little bit, at the end of the day it doesn't add much explanatory firepower. This model only has 1.8 explanatory power, explaining just 5.2% of variation in risk among individual third parties.

When it comes to making risk decisions about vendor relationships, no set of data provides anything close to the level of decision-making assurance that full technical insight provides.

Cyentia's analysis shows that continuously monitoring internet-facing hosts for security issues using a platform like RiskRecon's provides TPRM managers almost 22x explanatory power, offering insight that explains 61.4% of the variation in risk between individual third parties.

TPRM success requires a high-fidelity model like this, which depends on surfacing patch findings, authentication findings, vulnerability findings, and other crucial exposure factors that provide the most accurate proxy measures for whether or not a vendor is effectively executing their cybersecurity strategies.

To get a closer look at Cyentia's findings of TPRM risk models and the data that should feed a program, check out the recent report yourself.