Cyber risk is a fundamental component of the overall risk faced by any organization. In order to plan the size of security investments and to estimate the consequent risk reduction, managers strongly need to quantify it. Accordingly, they can decide about the possibility of sharing residual risk with a third party, such as an insurance company, to name just one of the risk mitigation tactics.
According to Allianz Global Corporate & Specialty (2021) (AGCS) “cyber crime now costs the global economy over $1trn—more than one percent of global GDP—up 50% from two years ago. Meanwhile, the threat of business interruption, whether from ransomware attacks, technical failure or via the supply chain, more severe consequences from data breaches and risks emerging from the acceleration of digitalization post-Covid-19 loom large”.
Therefore, cyber risk management should be one of the primary processes in an organization that wants to have control over it. But, this raises some tricky questions, such as:
- What cyber risk parameters to choose?
- How to measure cybersecurity risk?
- What could be the best risk management model?
For IT systems and data assets, the risk is in terms of future revenue loss because of interruption, malfunctioning, destruction of the asset as well as government fines, litigation and PR costs.
What is cyber-risk quantification and what tools can we use?
Cyber-risk quantification is a structured approach for evaluating and measuring a cyber-risk. A number of cyber-risk quantification models are available, among them Factor Analysis of Information Risk (FAIR) and The Open Group Risk Taxonomy (O-RT). FAIR, one of the widely used frameworks, is based on the premise that cybersecurity risks can be quantified in financial terms like any other business risk. It considers factors such as the value of the information asset, the likelihood of a threat actor exploiting a vulnerability and the potential impact of an incident on the organization.
Consistently with the aforementioned, in recent years, VaR (Value at Risk) has started to be implemented in a cyber security context, and many efforts have been made to adapt this risk measure to the methods specially developed to assess cyber risk. These models, referred to as Cy-VaR, offer “top management with a single risk number and a statistical probability to understand the overall cyber security risk of an enterprise”. Cy-VaR has two main objectives: to “help risk and information security professionals articulate cyber risk in financial terms” and to “enable business executives to make cost effective decisions and achieve a balance between protecting the organization and running the business”.
Cy-VaR is based on the concept of VaR that is a risk measure proposed by JP Morgan in 1995 as the “predicted worst-case loss at a specific confidence level”. VaR is considered a main risk measure. It is very popular because it is intuitive and its numerical values are easier to interpret, compared to other risk measures. Moreover, it is stated by regulators in the Basel II and Basel III accords. As with other types of risks, the concern is not only with expected losses from cyber threats, but should incorporate an understanding of potential extreme losses that could occur with a small but reasonable probability.
Another one is the notion of Return on Security Investment (ROSI), drawing from the classical return on investments (ROI). It measures the income or loss that comes from investing a certain amount of money. ROI is a percentage or ratio, and it is calculated by dividing the benefit (return) of an investment by its cost.
Also, there are various types of risk prediction models used within companies. While the Monte Carlo method was predominant, elements of other models were determined necessary for a successful risk quantification model. There are other techniques and methods that are not fully quantitative, such as parametric, behavioral modeling, baseline protection model, the Delphi method and certifications.
Cyber Risk Quantification Benefits
1. Lets you communicate cyber risk in terms that stakeholders care about
Quantifying risks can help express them in ways that are more applicable to a business context. For example, you can estimate the likelihood of a risk occurring using frequencies or percentages (e.g. “We expect this event to occur once within the next 6 months”).
Similarly you can express the potential impact of a risk using monetary value, the number of devices affected, the number of critical services affected, or how long critical systems or services will be unavailable.
Combined, this would allow you to describe risks using likelihood and impact, for instance, ‘Based on our current security controls, we are 90% confident this risk will occur at least once in the next year, and that it will cost between €100,000 and €300,000 if it occurs’. Framing risks in this way can help answer business questions such as ‘How much risk do we have?’ and can make conversations about whether risks are likely to exceed risk tolerance levels easier to manage.
2. Enabling cost benefit analysis and risk prioritization
As well as deriving quantitative estimates for how often a risk will occur (or the impact it will have), you can also estimate by how much a proposed control will reduce that risk. These estimates could be informed by a range of sources such as assurance activities, evaluations of the efficacy of a control, or expert knowledge of how a proposed control will integrate into your system.
Comparing the estimated reduction in the likelihood or impact with the cost of a new control can help decision makers choose whether to implement a control or not. This helps ensure limited security resources are managed as efficiently as possible.
Similarly, when there are multiple options for which controls to implement, weighing up the reduction in risk each option offers, as well as their cost, can help you make more informed decisions.
It’s hard to compare two risks both rated as ‘high’ and decide which one needs addressing first. If the risks are quantified in a way that offers more granularity and visibility for what a risk could mean for your organization, it can help decide which risk to address first.
3. Provide transparency
As with all approaches to risk analysis, you need to document your assumptions in case these need to be revisited later. You should also seek to provide information on what data sources or processes you have used to reach your conclusions when communicating risks.
Strategies and best practises
Consider the following best practices and steps for measuring and managing cyber-risk.
Use a structured approach. Choose a cyber-risk management framework to ensure a consistent and repeatable methodology for risk assessment.
Identify critical assets. Determine the critical data assets and systems that are essential to the organization’s operations, quantify their value and prioritize their protection.
Collect relevant data – on threats and vulnerabilities, as well as their potential impacts on assets and systems. Quantify these impacts.
Consider multiple scenarios. Assess different scenarios, weighing the probability of a given security incident occurring and its potential impact on the organization.
Translate cyber-risk into financial terms. Use cyber-risk quantification methodology to translate cyber-risk into monetary terms and demonstrate the potential financial impact of a security incident on the organization.
Align cybersecurity initiatives with business objectives. Demonstrate how cybersecurity investments can support strategic business goals.
Communicate in language that resonates with the business. Use language understandable to key stakeholders, particularly executives and board members. Speak in terms of risk tolerance and financial impact, rather than relying on technical, security-specific jargon.
Provide regular updates. Give timely updates to highlight the organization’s cyber-risk exposure and demonstrate the effectiveness of cybersecurity initiatives.
A hard task for companies is to determine how much resources to invest in the various business projects. The difficulty is particularly great if the projects in question, instead of generating an immediate economic return, have, as their main objective, the prevention of future losses. Investments in cyber security have just this feature.
Every euro invested to make your business safer does not translate into an immediate gain for companies, and without suitable security investment metrics, it is difficult for management to make any investment decisions. Of course, a significant reduction in cyber risk can be an ambitious goal, which faces spending and budget limits. Consequently, it is necessary to identify an optimal level of risk exposure below which the cost of investment would exceed the benefits of risk reduction. The traditional trade-off between risk and return typical of financial investments, gives way to a trade-off between risk and lower costs.
Cyber-risk quantification certainly offers benefits to organizations. It gives security leaders a clear understanding of the financial impacts of a successful cybersecurity attack. On the other hand, there is a need for proper planning, choosing the right model and vendor of cyber risk management tools.
Obviously, methodologies and tools are not lacking. But, which one is right for your organization’s needs? This question we are going to ask our expert panelists at our NORDIC IT SECURITY conference!
Should you need more information on methods or particular tools that can best fit your organization, contact our experts and we will be happy to help you.