The diverse landscape of cyber risk methodologies, ranging from technical scoring systems like CVSS to financial quantification frameworks like FAIR—offers organisations multiple tools to manage threats. However, these tools often operate in isolation, creating challenges when aligning technical, operational, and financial risk perspectives. Mapping between these approaches bridges the gaps, enabling organisations to unify risk management strategies and enhance decision-making.

This article explores how to map between popular cyber risk approaches, including FAIR, CVSS, CVaR, NIST CSF, and security rating services (SRS) platforms, offering practical guidance for integration.

Contents

1. Why Mapping Is Necessary

Cyber risk scoring and quantification tools serve distinct purposes:

• Scoring systems (e.g., CVSS): Focus on technical severity and exploitability, ideal for day-to-day vulnerability management.
• Quantification frameworks (e.g., FAIR, CVaR): Translate risks into financial terms, essential for strategic planning and executive reporting.
• Benchmarking tools (e.g., SecurityScorecard): Compare security performance across organisations or industries.

Mapping between these approaches ensures:

• Unified Risk Perspectives: Align technical vulnerabilities with financial and business impacts.
• Optimised Investments: Prioritise risks based on both their technical severity and organisational value.
• Consistent Communication: Standardise how risks are described to technical teams, executives, and regulators.

2. Framework-Specific Goals

Before mapping, it’s essential to understand the goals of each approach:

Approach	Goal	Best For
FAIR	Financial quantification of risks based on probability and impact.	Strategic planning, financial reporting.
CVSS	Numerical scoring of vulnerabilities based on severity and exploitability.	Day-to-day vulnerability management.
CVaR	Scenario modelling to estimate worst-case financial losses.	Planning for low-probability, high-impact events.
NIST CSF	Framework for managing and improving cybersecurity capabilities.	Holistic risk management and regulatory compliance.
Security Ratings	High-level benchmarking of organisational cybersecurity posture.	Third-party risk management, industry comparisons.

3. Mapping Between Approaches

Mapping CVSS to FAIR

Purpose: Combine technical vulnerability severity with financial risk quantification to prioritise mitigation efforts.

Steps:

1. Start with CVSS Base Scores: Use CVSS metrics to assess the intrinsic severity of vulnerabilities.
2. Incorporate Environmental Metrics: Adjust scores to reflect the criticality of the asset (e.g., a public-facing server vs. an internal system).
3. Translate into FAIR Variables:
   • Loss Event Frequency (LEF): Map CVSS exploitability metrics to the likelihood of an event.
   • Loss Magnitude (LM): Use the asset’s importance to estimate potential financial impacts.
4. Output Financial Risk: Use FAIR to calculate monetary losses associated with CVSS scores.

Example:
A CVSS score of 8.5 for a database vulnerability on a production server is mapped to high LEF and LM in FAIR, resulting in a £500,000 risk estimate.

Mapping CVaR to FAIR

Purpose: Integrate CVaR’s scenario-based financial modelling with FAIR’s detailed risk breakdown.

Steps:

1. Define CVaR Scenarios: Use CVaR to outline specific events (e.g., ransomware on critical systems).
2. Refine Using FAIR Variables: Break down scenarios into FAIR components:
   • Use FAIR for detailed LEF and LM estimates.
   • Add granularity by identifying primary (direct) and secondary (indirect) losses.
3. Combine Outputs: Use Monte Carlo simulations to combine FAIR’s granular inputs with CVaR’s broader scenario modelling.

Example:
CVaR predicts a maximum loss of £2M from a ransomware attack. FAIR refines this by estimating £1M in downtime, £500,000 in recovery costs, and £500,000 in reputational damage.

Mapping FAIR to NIST CSF

Purpose: Align FAIR’s financial risk insights with NIST CSF’s functions to improve cybersecurity capabilities.

Steps:

1. Categorise FAIR Outputs: Map FAIR results to NIST CSF’s five functions:
   • Identify: Use FAIR’s asset and threat modelling to enhance inventories.
   • Protect: Direct FAIR-prioritised investments to controls like access management.
   • Detect: Use FAIR findings to justify monitoring tools for high-risk areas.
   • Respond/Recover: Plan response and recovery budgets based on FAIR’s financial impact estimates.
2. Monitor Progress: Use FAIR-derived financial metrics to track improvements in NIST CSF capabilities.

Example:
A FAIR analysis shows £250,000 annualised losses from phishing attacks. This justifies investment in NIST CSF’s Protect function (e.g., phishing simulations and employee training).

Mapping CVSS to NIST CSF

Purpose: Use CVSS scores to inform NIST CSF’s risk management priorities.

Steps:

1. Analyse CVSS Scores: Identify high-severity vulnerabilities.
2. Map to CSF Functions:
   • Identify: Use CVSS scores to refine asset inventories.
   • Protect: Prioritise patching based on CVSS severity.
   • Detect: Feed CVSS findings into detection systems.

Example:
A CVSS score of 7.8 on a critical system maps to NIST CSF’s Protect and Respond functions, triggering immediate patching and incident response plans.

Mapping Security Ratings to FAIR or CVaR

Purpose: Translate external-facing security ratings into actionable financial or scenario-based insights.

Steps:

1. Benchmark Using Ratings: Use platforms like BitSight to compare your organisation’s posture against peers.
2. Input Into FAIR or CVaR:
   • Feed ratings into FAIR to assess how external vulnerabilities translate into financial risk.
   • Use ratings to define CVaR scenarios (e.g., potential third-party breaches).

Example:
A supplier receives a low security rating. FAIR calculates £200,000 in potential annualised losses from supply chain vulnerabilities, prompting renegotiation of contracts.

4. Challenges in Mapping

1. Data Gaps: Lack of sufficient data to connect technical metrics with financial or operational impacts.
2. Subjectivity: Environmental and contextual adjustments can vary significantly across organisations.
3. Complexity: Mapping between methodologies requires specialised knowledge and tools.
4. Differing Approaches: Metrics come from differing places, with strikingly differing use cases driving them, mapping between these can be problematic.

5. Best Practices for Mapping

1. Understand the Strengths of Each Approach: Use CVSS for technical severity, FAIR for financial modelling, and CVaR for scenario analysis.
2. Invest in Tools: Leverage integrated platforms that support multiple methodologies.
3. Collaborate Across Teams: Involve technical, operational, and executive stakeholders to ensure consistency.
4. Regularly Update: Refresh mappings to reflect evolving threats and organisational priorities.

Conclusion

Mapping between cyber risk approaches like FAIR, CVSS, CVaR, and NIST CSF bridges the gap between technical and business perspectives. By unifying methodologies, organisations can prioritise risks effectively, optimise resource allocation, and communicate threats more clearly to all stakeholders. With proper tools and practices, mapping becomes a powerful strategy for holistic cybersecurity management.