One way to get C-level managers and cybersecurity department heads on the same page is to employ cyber risk quantification, as it speaks to costs versus risks.
It’s a reasonably safe bet cyber incidents will be more of the same in 2021. However, there is something different blowing in the cyber wind this year. Business leaders are asking those in charge of cybersecurity departments to relate monetary costs to each potential cybersecurity risk the company could suffer.
“While previously seen as an issue solely for security and technology leaders to manage, executives are now pressuring security departments to financially quantify cyber risks facing their organizations,” wrote Jerry Caponera, VP of cyber risk strategy at ThreatConnect.
In the ThreatConnect blog Cyber Risk Quantification: The Pressure Is On (New Survey), Dan Verton, director of content marketing, adds a fine point to what Caponera mentioned.
“Seventy percent of security professionals who took part in a recent ThreatConnect survey said they are receiving medium to high levels of pressure to produce cyber risk quantification data for their business,” wrote Verton. “The growing pace and sophistication of nation state attacks, coupled with an ever-expanding attack surface stemming from continued digital modernization, has focused the attention of business leaders on their ability to accurately quantify and prioritize cyber risks within the context of their individual business.”
Verton goes on to mention something even more troubling, “Half of the respondents reported they have a lack of confidence in their ability to communicate and report the financial impacts of cyber risks, with a quarter saying they do not have a cyber risk quantification technology deployed at their company.”
Verton suggested the following as reasons for the lack of confidence:
- Respondents said they do not have a formalized process in place to evaluate and rank cyber risks (41%)
- Those responding also said they do not have cyber risk quantification technology deployed at their company (25%)
What is cyber risk quantification?
Most will have some idea of what cyber risk quantification entails, but it’s always good to be on the same page. Mark Tattersall, vice president of product management at LogicGate, in his blog The Business Case for Risk Quantification, does an excellent job of defining cyber risk quantification. To begin, he looks at project prioritization.
“For many years projects have been prioritized based on qualitative assessments of likelihood and numerically weighted scales, whereas risk quantification supports more rigorous decision-making by quantifying the potential financial loss to your business due to a risk scenario,” wrote Tattersall. “Risk quantification is a tactical tool used to help understand and evaluate key risk scenarios in order to make more informed decisions and determine the financial impact on your organization.”
Put simply, the idea behind quantification is to prioritize risks according to their potential for financial loss, thus allowing responsible people in a company to create budgets based on mitigation strategies that afford the best protection and return on investment.
How does one go about cyber risk quantification?
Now to the difficult part: how to incorporate cyber risk quantification. “Risk quantification starts with the evaluation of your organization’s cybersecurity risk landscape,” explained Tattersall. “As risks are identified, they are annotated with a potential loss amount and frequency which feeds a statistical model that considers the probability of likelihood and the financial impact.”
Tattersall continued, “When assessing cybersecurity projects, risk quantification supports the use of loss avoidance as a proxy for return on investment. Investments in tighter controls, assessment practices and risk management tools are ranked by potential exposure.”
According to Tattersall, companies are already employing cyber risk quantification. He offered the FAIR Institute’s Factor Analysis of Information Risk as an example. The FAIR Institute website mentions their platform provides a model for understanding, analyzing and quantifying cyber risk and operational risk in financial terms.
Additionally, the FAIR model is being integrated into established enterprise risk management and cybersecurity frameworks such as NIST, COSO and HITRUST.
The benefits of cyber risk quantification
Companies are looking hard at cyber risk quantification. It is a way for business leaders, and those responsible for a company’s cybersecurity, to get on the same page.
Tattersall mentioned, “Risk quantification empowers CISOs and CROs to be more strategic in their risk decision-making by integrating the financial impact of risk management, mitigation, and control and allowing you to make a strong business case when you present to the board.” ThreatConnect’s Caponera agrees, “Cyber risk quantification provides security leaders with a way to communicate the most pressing cyber threats facing a company that do not rely on a scoring system that is incomprehensible to anyone outside of the security department.”
Everyone speaks money, so by assigning a dollar value to potential cyber incidents:
- Business leaders have better visibility into the most pressing, and costly, threats facing the enterprise.
- Business and security teams can align their efforts and prioritize the most significant risks rather than dedicating resources to lower-priority risks.
- Security teams can focus their efforts on ensuring the business has adequate controls and processes to defend against the costlier risks and make additional investments if needed.
- Cyber risk quantification also provides an easier way for CISOs to communicate the value of their work to leadership.
As mentioned right at the beginning, we know cyberattacks are going to continue. Caponera and Tattersall agree that an enterprise must have a comprehensive view of its risk landscape.
Caponera concludes with, “Now is the time for security leaders to adopt cyber risk quantification and more easily demonstrate how cybersecurity organizations are protecting their business operations from disruption and catastrophic harm.”