CISO September 16, 2020
By Indy Dhami 4 min read

Risk management is an important element in using data to get ahead of cybersecurity risks before they happen. The costs of protecting an enterprise of any size against cyber attacks continue to rise. Once a business truly understands the consequences of an incident, its leaders must decide how to manage the risk. They can choose to accept, reduce or avoid the risk. But whichever choice they make involves costs of some sort.

Board members and senior executives are acutely aware and educated about the impact of cybercrime. At best, they can ask challenging questions of cybersecurity leaders to quantify the business risk and associated costs. Questions they may ask include:

  • How do we know if we are investing appropriately or proportionally in cybersecurity?
  • What is the accurate and realistic perspective on our cyber risk exposure?
  • What are the risks our third parties pose to our business?
  • What is the right level of investment needed to protect us?
  • Are we prioritizing our top risks based on the likelihood of an attack?
  • What methods and calculations are we using to justify cyber spending?

To answer these questions with confidence using meaningful data, one needs a robust method for risk management and quantification. Effective cyber risk quantification should take the essences of credit, market and operational risk and apply them to a cybersecurity context.

Learn From Financial Risk Management Strategies

Let’s look at some financial risk management and assessment strategies. A technique financial institutions have historically used to assess credit risk are the five “Cs” to mitigate lending risk. These Cs are:

  1. Cash flow (the ability to repay a debt)
  2. Collateral (assets used to borrow against)
  3. Capital (the amount of accessible money in reserves)
  4. Character (general trust, credibility and personality)
  5. Conditions (current status, economic conditions, etc.)

The five Cs require an element of subjective judgment. This has sometimes led risk managers to reach inaccurate or negative assessments, or overly optimistic views on whether to provide credit to customers.

What is Market Risk?

Market risk is a measurement of the possibility of taking losses relating to the performance of financial markets. Examples of market risks include market downturns, currency fluctuations, economic sanctions, interest rate changes, natural disasters, terrorist attacks and civil unrest.

To measure market risk, investment and commercial banks use the value-at-risk (VaR) modeling method. This method uses statistical risk management to quantify potential losses and the probability of those potential losses materializing. The VaR method also requires underlying assumptions and subjective decision making.

What is Operational Risk?

Operational risk is defined by Basel II as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”

The Basel Committee on Banking Supervision proposed the standardized measurement approach (SMA) as a method of assessing operational risk. The SMA was developed to establish consistency regarding the regulatory capital measurement for operational risk and to promote comparison between risk-based measures.

Operational risk assessments also should consider factors such as reputational, regulatory and legal risk. All of these can impact the financial stability of an organization that experiences a cyberattack or breach.

Bringing Risk Management to Cybersecurity

Lessons learned from credit, market, and operational risk models and techniques can also be applied to cyber risk. For example, these frameworks have been used to develop Factor Analysis of Information Risk (FAIR). Furthermore, the Open Group has selected this model as its standard information risk taxonomy and methodology.

The FAIR methodology was created to provide measurements and inform decision-making using the VaR model, directly linking cybersecurity and financial operational risk plans.

Answering the Cyber Risk Quantification Questions

With the FAIR model, cybersecurity professionals can answer questions posed by senior executives by breaking down risks into discrete, quantifiable elements.

From there, we can do the math. At the highest level of abstraction, risk equals the probable frequency and probable magnitude of future loss. Frequency is calculated by estimating the probable number of loss events in a defined time. Losses, in a business context, mean a loss of an amount of money. Therefore, you can express risk or loss exposure in financial terms executives are familiar with using.

Advantages and Challenges of Cyber Risk Quantification

Advantages Challenges
Supports transparency about financial risks and impact to the business through strong cost/benefit analysis. When data inputs are not available, inputs may have to be created from estimates from subject matter experts with a level of confidence in the accuracy and quality of data sources.

 

 
Helps answer board-level questions that may be posed by shareholders, regulators and external stakeholders. A changing technology landscape opens the enterprise to new cyber risks on a frequent basis, which requires regular review of risk appetites and overall posture.
Provides consistency, accuracy and trends to provide meaningful data to make informed decisions not just on cyber risk but also on strategic innovations and technologies. Adoption of new standards like FAIR require vetting, review and buy-in from existing enterprise risk management teams/functions.
Provides a technique to articulate the overall cyber risk posture and appetite to the enterprise on mission-critical services.

 

 Many organizations lack skills and experience to perform cyber risk quantification effectively.
Helps educate leadership and management teams on cyber threats by understanding the value of assets (systems and data), then allocating resources. Educating leadership to move away from traditional heat maps into a new way of thinking by interpreting cyber risk financially.
Can provide greater insight into secondary impacts and costs, such as customer attrition rates, increased staffing costs due to the level of complaints, staff absenteeism due to the stress of incident response, etc. Measuring the fallout of cyberattacks in cases where datasets are not available may be difficult for organizations or industries not accustomed to effectively quantifying cyber risk without them.
Scroll to view full table

Looking for Help With Risk Management?

Using tools such as RiskLens, security professionals can evaluate which risk mitigation strategies are most effective in reducing cyber risk and present options to executive leadership based on cost/benefit analysis. Executive leadership and the board can improve their governance and oversight roles by making well-informed decisions about cyber risk when options and alternatives are presented in the familiar language of money.

Register for the webinar
 |  |  | 
Indy Dhami
Associate Partner, IBM

More from CISO
CISO   June 2, 2023

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read
CISO   June 1, 2023

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read
CISO   May 16, 2023

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read
CISO   May 4, 2023

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature