There are places where ambiguity and subjectivity work well – but measuring your cyber risk exposure isn't one.
One place where clarity is required is in the C-suite. As both cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys.
When trying to gauge the effectiveness of their company's cybersecurity, one survey found that 72% of CEOs receive metrics that “lack meaning or context,” and 87% “need a better way to measure the effectiveness of their cybersecurity investments.
As MIT Sloan Management Review notes, “Often, executives as well as directors spend too much time studying technical reports on such things as the numbers of intrusion detection system alerts, antivirus signatures identified, and software patches implemented.” These things often get delegated and limited to the IT department but ideally, dealing with and addressing cyber security risks should be strategically managed by the top management so that risk management is not just incidence-based.
Cybersecurity increasingly needs to learn to speak a different language. Current reforms in multiple countries - notably, Australia and the United States - would expose individual directors and executives to personal liability for cybersecurity risks. The proposals also seek to record the “substance of how a company manages its cybersecurity risk.
That's a profoundly different position on risk - and not one that is conducive to qualitative or ambiguous ‘traffic light system' type representations.
The traditional approach has been to rank risks as high, medium, and low, or assess them in terms such as “probably likely to occur” or “somewhat likely to impact the business.”
These categorisations are too vague in the modern world. Security teams might think a medium risk needs to be mitigated, but the management team might argue that it can be accepted. Defending your point of view can be tough because the term ‘medium risk' sounds quite ambiguous.
It gets more challenging when teams have multiple risks that are all ranked medium. Which one do you focus on first? Do you spend the same amount of time and resources managing all three risks? It's difficult to know for sure with non-quantitative metrics.
Organisations face thousands of IT and cyber risks a year. The challenge is to determine which risks should be dealt with first. Likewise, there may be hundreds of possible security controls; which one will yield the greatest benefits for the least cost?
These are questions that CISOs must have an answer to. And to do that, they need quantitative data. Ambiguous terms must be converted into hard numbers.
Do the math
Enter cyber risk quantification - a process for measuring IT and cyber risk exposure in monetary terms.
It's intended to help practitioners and their employers determine which risks to prioritise and where to allocate cybersecurity resources for maximum impact.
Typically, cyber risk quantification uses sophisticated modelling techniques like Monte Carlo simulations to estimate the value at risk (VaR) or expected loss from risk exposure.
By quantifying the monetary impact of a risk event, questions like “How much should we invest in cybersecurity?”, “What will be the return on investment?” and “Do we have enough cyber insurance coverage?” can be more confidently answered.
Uncertainty is minimised when cyber risk exposure is expressed in clear and precise terms. It becomes easier to direct security investments when it's known how much the risk will cost and how much a particular control can help lower that cost. There's much less debate and confusion about the top three cyber risks, why they've been ranked that way, or which controls are most relevant to mitigate those risks. The data is already there for everyone to see.
Multiple stakeholders benefit from such clarity. CISOs gain a deeper understanding of risk impact, which helps them make data-driven decisions. Boards have more visibility into what's at stake for the business in terms of dollar value. And executives can effectively prioritise cybersecurity investments, driving alignment between cyber programs and business goals.
Six things to keep in mind
To quantify cybersecurity risk, organisations should consider six important points.
First, establish a common risk language. If everyone in the organisation has a different definition for each IT asset, threat, or vulnerability, it will be difficult to communicate and defend risk decisions. Standardise the risk nomenclature as much as possible.
Second, cyber risk quantification is a collaborative exercise that goes beyond the IT security department. Engage other divisions in identifying critical risk scenarios. The more perspectives that are brought to the table, the more comprehensive your risk data will be.
Third, cyber risks and threats are constantly evolving. A risk that was critical a year ago may not be as important or relevant anymore. The only way to know is to re-quantify risks at regular intervals – maybe once or twice annually.
Fourth, it's neither efficient nor effective to cover all possible threats and risk scenarios at once. Pick one important use case and work on that before moving forward.
Fifth, automate wherever possible. Manual cyber risk quantification processes can be both complex and time-consuming. Automating those workflows can help measure a large number of risk exposures faster.
And finally, quantification isn't a cure-all: Cyber risk quantification should enhance, not replace, other IT and cyber risk management processes. Its value is best realised when complemented with risk monitoring, qualitative assessments, internal audits, and issue management processes.
While no organisation can ever be fully immune to threats and risk, smart and calculable risk quantification, management, and measurement can help organisations get better at mitigating risks.