Many boards are struggling with the question of what cybersecurity risk means to their organizational objectives and how to manage this risk. There is a strong desire to find some way to look at cyber risk from a quantitative point of view, owing to the late Peter Drucker’s principle of “what gets measured gets managed.” But what is cyber-risk quantification and how can measuring cyber risk help your organization?
Underpinning all measurement activities is something known as “measurement science” or metrology. This scientific approach to measurement has given rise to such basics as temperature reading and distance scales. For things that are a little more abstract, there are scientific principles that can be applied to help improve measurement and, by extension, decision-making.
As enterprise-risk management (ERM) organizations established themselves over the last two decades, they needed a way to help businesses manage loss exposure from risks that were difficult to quantify and that were largely unable to be underwritten by insurers. They also needed a way to prioritize risks based on the potential each risk had to cause harm to organizational objectives. The easiest solution was to directly apply priority labels to show how important the risk was (e.g., high, medium, or low). These labels have also been used by cybersecurity organizations as they lead or assist in managing enterprise cyber risk.
However, there are some problems with this approach. While a useful decision-making shortcut (a company does not want to take on high-risk activities, but it will tolerate low-risk ones), there are reams of academic research that discuss the failures of this approach to account for biases and basic measurement errors. Too many people subconsciously neglect to account for organizational risk when applying these labels and instead use their own risk tolerances to calibrate risk for the entirety of the organization. The use of these scales actually adds error to the risk evaluation process instead of reducing it. Further basic errors include the assumption that the distance between values is equal (i.e., the assumption that risks rise in severity at a consistent rate), which compresses risks at the top into a single category, effectively treating a $50 billion risk as equivalent to a $5 million risk, for example. This approach therefore has the effect of keeping an organization from taking reasonable risks at best and misallocating capital to unnecessarily mitigate risk at worst.
True cyber-risk quantification requires the use of values that measure frequency of loss and impact of loss in attaining organizational missions and goals. In this way, quantifying cyber risk comes down to articulating the scenarios that could cause an organization to fail to deliver the products and services for which it is chartered. Expressing cyber risk this way has been thwarted by a dearth of available data and methodologies at individual companies. However, many third parties have been established to provide such data and methodologies and today, cyber-risk quantification is not only possible but employed by companies all over the world.
Applying this data to your organization requires the development of cyber-risk scenarios. This approach begins with defining top-level cyber-risk categories (such as data disclosure, fraud, and business interruption) and breaks those down into progressively more detailed sets of scenarios. Ultimately, at the lower branches of such a decomposition exercise, an organization will arrive at a series of risk triggers familiar to cybersecurity professionals that can be mapped to a control framework, such as the National Institute of Standards and Technology Cybersecurity Framework. In this way, an organization can connect low-level cybersecurity attacks, such as those involving ransomware and code exploits, to the controls that prevent them and ultimately to organizational objectives (as expressed through a company’s products and services). The good news for enterprise risk teams is that financially oriented frameworks, including the Basel II regulations, also support this approach.
Here is an example of a risk decomposition that connects high-level strategic objectives to lower-lever cybersecurity issues.
Strategic Objective 1: Increase the number of customers that use more than one company product by 40 percent.
Cyber Risks to Objective 1:
Layer 1—External fraud
Layer 2—Systems security
Layer 4—Credential stuffing, privilege escalation, lateral movement, etc.
Strategic Objective 2: Increase sales in the North American market by 15 percent.
Cyber Risks to Objective 2:
Layer 1—Business disruption
Layer 2—Systems security
Once such a top-down and bottom-up approach has been made, the exercise of building quantified values to express loss as a result of risk becomes clearer. In addition to traditional revenue metrics such as those weighing the value of delayed or forgone customer transactions, organizations can also leverage public peer data to index losses and project legal and regulatory outcomes.
It is useful to start operationalizing these foundations of cyber-risk quantification as global credit agencies and cyber insurance underwriters are beginning to use similar processes in assessing organizations’ credit worthiness. Indeed, in much the same way that credit rating agencies began talking about environmental, social, and governance risk years ago, so too will cyber ratings become a constituent component in investors’ evaluations over the coming years. This is especially true as the world becomes more aware of the sizable financial impact of mega breaches and supply-chain interruptions on business. Organizations that don’t address cyber risk as a quantifiable, financial risk to their strategic plans will find themselves at a disadvantage in the marketplace. As a board, consider asking the security and enterprise risk leaders in your organization how they are considering the above approaches, including how to use scenario-planning and cyber-risk quantification to inform the company about cyber risks and how ERM leaders and the chief information security officer are bringing their teams together to tackle this problem.
As head of cyber-risk methodology for VisibleRisk, Jack Freund has overall responsibility for the systemic development and application of frameworks, algorithms, and quantitative and qualitative methods to measure cyber risk.
NACD: Tools and resources to help guide you in unpredictable times.
Become a member today.