By Kelly White | July 2, 2018
Calculating cyber risk is a key element of any sound risk management strategy. While traditional risk management models have focused on financial, process, workplace and IT factors, for many organizations cyber risk is still a new component in their risk assessment practices. Yet issues such as accurately measuring exposure, understanding the correct level of security spend, and whether or not to buy cyber insurance (and how much to buy) depend on hard numbers. How do you tackle quantifying these concerns in practical business terms?
There are several published frameworks that can help get you started. One emerging practice is to use Cyber Value-at-Risk (VaR) models. Leveraging the well-proven investment banking VaR approach, Cyber VaRs evaluate issue probability, severity and asset value to help you estimate likely losses in the event of a cyber-attack?such as the amount of potential loss, the probability of that amount of loss and the expected time frame for the loss.
The FAIR Institute, a not-for-profit organization whose mission is to establish and promote information risk management best practices (RiskRecon is a partner), has created a Cyber VaR that to date is the only internationally accepted standard. FAIR’s model, adopted by many large multinational firms and leaders such as the World Economic Forum and The Open Group standards body, calculates total cyber risk as an outcome of loss event frequency, based on threat event frequency and vulnerability, and loss magnitude, based on primary loss and secondary risk. Using these factors provides a common language to articulate cyber risk in terms that business and financial professionals can understand and address.
Another useful tool is the soon-to-be-finalized U.S. National Institute of Standards (NIST) Risk Management Framework for Information Systems and Organizations. The NIST Framework offers a structured but flexible process “for organizational asset valuation; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.”1 The Framework also offers guidance on proactive steps that organizations can take to reduce risk, and provides a construct for senior leaders to make sound, informed risk management decisions.
One further option is the Center for Internet Security’s Critical Security Controls. The Center is a not-for-profit organization whose mission is to develop and advance best practices for cyber defense. Leveraging its membership base of large businesses, government and academia, the Center implements a closed crowdsourcing model to identify and refine effective security measures. The twenty Controls are an output of this work, and an associated Risk Assessment Model (RAM) can be downloaded for free.
Whether you choose one of these tools or some other measurement method, quantifying cyber risk is the next imperative in your organizational risk management practice. Only when you can measure and meaningfully approximate your cyber risk exposure can you appropriately manage behaviors and investment according to your organization’s risk appetite. We’ll talk about that in an upcoming post.