An Effective Approach to Measure Your SAP Risks Quantitatively

How to realise how much your organisation would lose from an incident or breach

28 - 07 - 2021

Have you ever wondered why SAP security has little to no priority in most organisations? Of course, you have. Responsible people tell us, for example: "SAP is German made thus secure by default", "SAP security is not a priority", and "we are unable to justify the budget to protect SAP applications and systems". I can probably fill two pages of reasons why SAP security has little to no priority, but that wouldn't help anybody. What usually helps is showing those red, yellow, and green graphs and qualitative figures of how loss events from SAP incidents or breaches might harm an organisation - now that might get some c-level attention. But still, some would not even budge; so, what do we do?!

Management, board of directors, and c-levels are all interested in and enormously cares about the monetary loss that an event might have on the organisation. While it is easy to quantify a loss event from any past incidents that the organisation might have had, the difficult part is calculating losses for events that have not happened yet. This is where probability theories and statistics come to the rescue, and a standard methodology that uses these concepts and relates to information risk is the FAIRTM model.

How the FAIRTM Model Helps You to Understand Your Cybersecurity Risks

In simple, "the FAIRTM (Factor Analysis of Information Risk) is a model that codifies and monetises risk". While you can apply the model to your entire information security risk, this article focuses on the advantages of using it to your SAP risk and will also demonstrate how NO MONKEY helps organisations translate risk into financial terms.

The FAIRTM model uses a list of risk factors (shown in the figure below) against a specific loss scenario to quantify a loss event affecting an organisational asset. Each risk factor denotes a particular area of interest when analysing loss scenarios. A top-down approach defines risk derived from the probable frequency and probable magnitude of a future loss that affects the primary stakeholder within a given time-frame set during the analysis (Reference: Risk Taxonomy (O-RT), Version 3.0). When a specific factor has little to no information, analysts usually go one step down to derive the required information.

Risk factors defined by the FAIRTM model

How to Effectively Quantify Your Security Risks with an SAP Risk Assessment

The NO MONKEY ADVISORY offers the SAP Risk Assessment service to help organisations effectively quantify risks. Each activity within the risk assessment and analysis combines different methodologies and approaches that support organisations in determining critical threats and risks tailored to their organisation and industry. The service combines qualitative and quantitative risk approaches to assess and analyse risks from the organisation's SAP environment based on the FAIRTM model and the below-listed methods provided by NO MONKEY.

Few of the advantages of using these methods within the SAP Risk Assessment service is to:

  • Identifies an organisation's security maturity level in protecting their SAP environment
  • Prioritise and identify risks across the NO MONKEY Security Matrix
  • Recognise critical SAP controls that increase protection and maturity
  • Identify gaps originating from the three lines of defence against the areas within the matrix
  • Within the FAIRTM model, primary and secondary losses are derived from six different loss categories, to name a few: productivity, replacement, and response, which are examined during the analyses to support the organisation with understanding how loss can be quantified from a specific scenario affecting the company.

Smart Ways to Maintain Your SAP Security Risk Management Program

Helping customers identify their SAP security risk is one part, but another is maintaining the risk management program across the organisation once the project is complete. The SAP Risk Assessment service not only does it help organisations analyse and quantify SAP risks but also support organisations build a competent and responsible risk team that includes personnel from the three lines of defence (operations, security, audit). Together, they maintain the risk management program within the organisation to analyse, assess, evaluate, monitor and treat risks across the three tiers (organisation, mission/business processes, information systems) relating to SAP technology.

Mapping the approaches of the FAIRTM Model and other risk frameworks to the complex world of SAP makes it easier for security personnel to address and communicate the need of securing such complex environments. Whether you believe you have a single security control protecting your SAP environment or, as we usually see from organisations, no security controls and have not yet faced an incident or breach, it makes it more critical than ever to recognise how a loss event can affect your organisation. Since SAP is not secure by default like any other software or application, it is crucial to measure your risks quantitatively to help you understand what threats to prioritise, which protection enhancements are required, and the competency needed.

What Do You Think?

We're happy to get in touch with you and learn something about your view. Feel free to send us a message.

Leave us a MessageBack to Overview

About the Author

Waseem AjrabHead of SAP Security Advisory, NO MONKEY
  • Security professional with over seven years of experience
  • Involved in several areas of activities in cybersecurity, such as red team activities, blue team activities, audit, and compliance
  • Certified CISSP, Open FAIRTM, OSCP, ISO 27001 Lead Auditor, CEH, CISCO CCNA

Learn More About the NO MONKEY Solutions

Stay up to date on the latest developments in SAP security

Follow us on LinkedIn