MNIT has implemented a better way for agency leaders to make informed strategic decisions around cybersecurity.  

MNIT began using a cyber risk quantification (CRQ) tool that helps agency leadership use data to evaluate cybersecurity risks and their potential financial impacts. Using this scalable, enterprise tool helps agencies assess and manage cyber risks, which helps the state better protect Minnesotans’ personal data and maintain reliable public services.  

Implementing CRQ 

MNIT implemented CRQ using the Factor Analysis of Information Risk (FAIR) model to address how state agencies assessed cyber threats' severity and potential impact. This helps translate cybersecurity investments into understandable business and financial terms. 

MNIT’s new CRQ tool, SAFE One, uses a computational algorithm to evaluate cybersecurity risks and their potential financial impacts. The process includes: 

• A forecasting capability to do “what if” scenarios such as: What if MNIT updated more systems, how would that improve our score?  

• This helps agency leaders prioritize security investments based on the severity and likelihood of each threat. 

• The ability to compare analyses in reverse, to show what an asset’s risk profile might be if a state agency removed one of its cybersecurity safeguards.  

• This is useful for justifying continued security investments.  

This tool helps the state prioritize security investments based on the severity and likelihood of each threat, supports compliance, and creates a common language about security risks across agencies.  

Why translate cybersecurity in financial terms? 

Translating cyber risks into financial terms helps agency leaders understand the potential financial impacts of threats and make informed decisions, saving agencies from unnecessary spending. With CRQ, agencies can prioritize cybersecurity investments based on clear, quantifiable data rather than subjective judgment. 

This shift enables agencies to allocate resources more efficiently, reducing unnecessary spending and focusing on the most critical risks, so they are better prepared to prevent and respond to cyber threats and incidents. 

Additionally, CRQ enables cybersecurity and business leaders to communicate using a common language, promoting collaboration, and aligning security measures with business goals. This alignment ensures cybersecurity strategies support organizational objectives and enhance security and business outcomes. 

The Journey: Trial and Success 

MNIT conducted a one-year trial with 20 executive branch agencies to implement and refine the CRQ process. During this period, MNIT worked closely with each agency to understand their cybersecurity challenges and tailor the CRQ approach to meet their needs. This process involved regular meetings and feedback sessions, ensuring continuous improvement and engagement with our partners. 

In addition, MNIT worked with agency leaders to improve data collection processes and enhance data quality. These efforts included training staff, standardizing data entry protocols, and creating centralized data repositories. 

The trial yielded impressive results. Agency leaders provided overwhelmingly positive feedback – they had a clearer understanding of their cybersecurity risks and were better equipped to make decisions about security investments. Implementing a successful CRQ tool highlights how MNIT and state agencies can: 

• Use technology and data to increase efficiencies and improve decision-making. 
• Address business needs, while managing risk. 
• Realize cost savings. 
• Reduce business impacts when cybersecurity events occur. 

The success of the trial demonstrated the value of CRQ in enhancing cybersecurity resilience and laid the foundation for a broader rollout of CRQ across all state agencies, positioning Minnesota as a leader in cybersecurity governance.  

Future Goals 

Looking ahead, MNIT aims to train agency security analysts on CRQ methodologies and enhance the platform through automation and integration. Through continuous innovation, MNIT seeks to set new standards for cybersecurity governance.