Over the last few years, there has been increasing interest by CISOs and business leaders in cybersecurity risk quantification. Many of the CISOs we are working with are keen to connect security risk to the language of business. In this article, Graeme Payne reviews how cyber risk quantification and decisioning can be used to communicate cyber risk more clearly and accurately to the business, including:
- Pitfalls of the traditional approach to communicating cyber risk
- The shift to cyber risk quantification and decisioning
- Where to start your cyber risk quantification journey
- Why now is the time to start
Cybersecurity risk is now ranked by Global CEOs as the top threat to growth. The increasing digitization of business, expansion of digitized data, and high reliance on technology have created many opportunities for threat actors to attack companies’ systems and data.
While senior business leaders and Boards of Directors intuitively understand that cybersecurity is a key risk, they are challenged to evaluate it in relation to other risks such as credit, liquidity, and market risk. At the same time, security leaders want to be able to communicate risk in business terms.
Pitfalls of the traditional approach to communicating cyber risk
The traditional approach to communicating cyber risk has been to use ordinal scales for determining the likelihood and impact of a risk, for example, 1 (low) to 5 (high). Risks are then plotted on a risk grid so that management can visualize the relative severity of the risks facing the organization.
In their book How to Measure Anything in Cybersecurity Risk, authors Douglas Hubbard and Richard Seiersen point out many of the pitfalls of using these techniques. Pitfalls of the traditional approach to communicating cyber risk include:
- Heavy reliance on the subjective judgment of the risk assessor to determine likelihood and impact.
- A greater tendency to inflate risk due to the uncertainty of measurements
- A perception that risk measurements are based on a scientific approach that provides a “placebo effect”
- A lack of evidence that traditional risk scoring and risk matrices improve cybersecurity decision making
- A belief that some elements cannot be measured, or are too few to be representable
Instead, they argue for a more quantitative approach to measuring cybersecurity risk.
The shift to cyber risk quantification
There are multiple approaches and tools available to help CISOs in quantifying cybersecurity risk. Kudelski Security has teamed up with X-Analytics, a leading provider of cybersecurity risk decisioning services. X-Analytics is a patented and validated cyber risk decisioning platform that is changing how executives, boards, and the risk management industry understand and manage cyber risk.
X-Analytics leverages a combination of firmographic data about the organization and historical cybersecurity incident data to deliver financial metrics that enable better cyber risk decisions. Key factors addressed in the model include:
- Inherent risk
- Control effectiveness
- Residual risk
- Loss categories
The model also allows for “what if” simulations to model potential investment returns in evolving the security program.
When to use a cyber risk decisioning platform
The adoption of cybersecurity risk quantification is a journey. In working with our clients, we have identified several use cases for when to use a cyber risk decisioning platform.
Evaluating cyber insurance and self-insurance
The relatively immature nature of the cybersecurity insurance market has resulted in the insurance industry experiencing high losses. Consequently, insurance premiums, underwriting standards, and contract exclusions have all increased. In some cases, organizations are deciding to self-insure their cyber risk.
Using X-Analytics we have been able to help our clients through this decision process and optimize the insurance spending and capital allocation needed to address the overall cyber risk.
Justifying and prioritizing cybersecurity investments
By measuring the amount and range of potential financial impacts resulting from cybersecurity risk, the senior management, Board, and CISO can now engage in a discussion about cyber risk appetite and risk tolerance expressed in financial terms.
Now investments to reduce financial exposure can be considered alongside other investments that generate revenue or reduce risk. Armed with quantified financial dashboards and metrics, the key stakeholders are all using the language of business to discuss cyber risk and return on investment.
X-Analytics provides “what if” analysis features that allow a range of investment options to be considered and measured.
Evaluating a potential acquisition
When a company is considering an acquisition, it is often difficult for the security leader to evaluate the potential risks inherent in the acquisition. Due diligence is often limited, and there is a lack of detailed information to really understand cyber risk. Using a risk quantification platform can provide a quick analysis of the potential cyber risk that the organization may assume if the acquisition is completed.
Evaluating the impact of specific threats
Cyber risk quantification analysis allows the security leader to focus on the potential financial impact of specific threats. For example, Boards of Directors are very interested in the company’s exposure to ransomware. Using a tool like X-Analytics allows the security leader to provide a specific financial quantification of that risk profile. Management can then evaluate whether the analyzed risk is acceptable or if not, what mitigations need to be implemented to reduce the risk to an acceptable level.
Communicating cyber security program effectiveness
As the senior management and Board become accomplished in understanding and using a risk quantification model for cyber risk, the security leader can now use it to measure and report on the overall security strategy and program. As changes occur in the threat landscape and business environment, these can be seen in changes in the loss estimates. Similarly, as investments are made in security controls and processes, the payback in terms of reduced risk exposure can be measured and reported in financial terms.
Where to start your cyber risk quantification journey
We have four tips to help security leaders get started on their cyber risk quantification journey:
- Get comfortable with the risk decisioning model.
- Socialize the model with peers.
- Integrate the decisioning model into your overall risk framework.
- Leverage the model to communicate the organization’s overall risk profile.
Get comfortable with the cyber risk decisioning model
First, the security leader needs to be comfortable with the risk decisioning model and the underlying assumptions. They don’t need to be a financial expert but understanding the basic inputs and drivers of any model is important. Experiment with different assumptions and inputs to understand the model sensitivity and drivers. Leverage experienced consultants to help ramp up quickly.
Socialize the cyber risk decisioning model with peers
Second, socialize the risk quantification model and dashboards with peers. Finance, insurance, and other risk professionals in the organization will want to understand the model. Start with one of the use cases described above and build from there. For example, use the model to help with your next cyber insurance review.
Integrate the decisioning model into your overall risk framework
Third, find ways to integrate the risk decisioning model into your overall risk framework. Consider how it can be used to help in managing your risk register, determine risk impacts, and evaluate risk treatments.
Use the “what if” analysis tools to help evaluate the efficacy of risk treatments. Expand the tool to measure risks at a business unit level. Use it to measure and manage supply chain risks.
Leverage risk quantification and decisioning to communicate overall risk profile
Finally, leverage risk quantification and decisioning to communicate the overall risk profile of your organization to your Board and senior management. Use the tools and models to help in your discussions of risk appetite and risk tolerance. Align your security investments and strategic roadmaps with the risk profile to demonstrate how investments in developing and maintaining capabilities are providing a payoff in risk reduction.
Why now is the time for cyber risk quantification and decisioning
In Cyber-Risk Oversight 2020, the National Association of Corporate Directors provides the following guidance:
“To address these increased expectations, companies need to understand the financial impact associated with cyber-event risk. Boards of directors and management are also expected to demonstrate to investors due care in the governance and oversight of cyber risk…. Leveraging these mathematical and scientific methods for improved analyses can allow for more effective decision making compared to qualitative types of risk scoring and heat map risk reporting.“
Regulators such as the Securities and Exchange Commission and investor groups are also calling for increased disclosure of cyber risk, including understanding the financial implication of cyber risk.
Now is a great time for security leaders to step forward and take the lead in cyber risk quantification. I would encourage security leaders to start experimenting and getting comfortable with cyber risk decisioning.
To get started on your cyber risk quantification and decisioning journey, get in touch with our advisory services team here.
- Getting Started with Cyber Risk Quantification and Decisioning - November 8, 2022
- Today’s Ransomware Threat: Why It’s So Severe… And Only Getting Worse - September 17, 2021
- Building a Vendor Risk Management Program - October 19, 2020