Risk management is an important element in using data to get ahead of cybersecurity risks before they happen. The costs of protecting an enterprise of any size against cyber attacks continue to rise. Once a business truly understands the consequences of an incident, its leaders must decide how to manage the risk. They can choose to accept, reduce or avoid the risk. But whichever choice they make involves costs of some sort.

Board members and senior executives are acutely aware and educated about the impact of cybercrime. At best, they can ask challenging questions of cybersecurity leaders to quantify the business risk and associated costs. Questions they may ask include:

  • How do we know if we are investing appropriately or proportionally in cybersecurity?
  • What is the accurate and realistic perspective on our cyber risk exposure?
  • What are the risks our third parties pose to our business?
  • What is the right level of investment needed to protect us?
  • Are we prioritizing our top risks based on the likelihood of an attack?
  • What methods and calculations are we using to justify cyber spending?

To answer these questions with confidence using meaningful data, one needs a robust method for risk management and quantification. Effective cyber risk quantification should take the essences of credit, market and operational risk and apply them to a cybersecurity context.

Learn From Financial Risk Management Strategies

Let’s look at some financial risk management and assessment strategies. A technique financial institutions have historically used to assess credit risk are the five “Cs” to mitigate lending risk. These Cs are:

  1. Cash flow (the ability to repay a debt)
  2. Collateral (assets used to borrow against)
  3. Capital (the amount of accessible money in reserves)
  4. Character (general trust, credibility and personality)
  5. Conditions (current status, economic conditions, etc.)

The five Cs require an element of subjective judgment. This has sometimes led risk managers to reach inaccurate or negative assessments, or overly optimistic views on whether to provide credit to customers.

What is Market Risk?

Market risk is a measurement of the possibility of taking losses relating to the performance of financial markets. Examples of market risks include market downturns, currency fluctuations, economic sanctions, interest rate changes, natural disasters, terrorist attacks and civil unrest.

To measure market risk, investment and commercial banks use the value-at-risk (VaR) modeling method. This method uses statistical risk management to quantify potential losses and the probability of those potential losses materializing. The VaR method also requires underlying assumptions and subjective decision making.

What is Operational Risk?

Operational risk is defined by Basel II as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”

The Basel Committee on Banking Supervision proposed the standardized measurement approach (SMA) as a method of assessing operational risk. The SMA was developed to establish consistency regarding the regulatory capital measurement for operational risk and to promote comparison between risk-based measures.

Operational risk assessments also should consider factors such as reputational, regulatory and legal risk. All of these can impact the financial stability of an organization that experiences a cyberattack or breach.

Bringing Risk Management to Cybersecurity

Lessons learned from credit, market, and operational risk models and techniques can also be applied to cyber risk. For example, these frameworks have been used to develop Factor Analysis of Information Risk (FAIR). Furthermore, the Open Group has selected this model as its standard information risk taxonomy and methodology.

The FAIR methodology was created to provide measurements and inform decision-making using the VaR model, directly linking cybersecurity and financial operational risk plans.

Answering the Cyber Risk Quantification Questions

With the FAIR model, cybersecurity professionals can answer questions posed by senior executives by breaking down risks into discrete, quantifiable elements.

From there, we can do the math. At the highest level of abstraction, risk equals the probable frequency and probable magnitude of future loss. Frequency is calculated by estimating the probable number of loss events in a defined time. Losses, in a business context, mean a loss of an amount of money. Therefore, you can express risk or loss exposure in financial terms executives are familiar with using.

Advantages and Challenges of Cyber Risk Quantification

Advantages Challenges
Supports transparency about financial risks and impact to the business through strong cost/benefit analysis. When data inputs are not available, inputs may have to be created from estimates from subject matter experts with a level of confidence in the accuracy and quality of data sources.

 

 

Helps answer board-level questions that may be posed by shareholders, regulators and external stakeholders. A changing technology landscape opens the enterprise to new cyber risks on a frequent basis, which requires regular review of risk appetites and overall posture.
Provides consistency, accuracy and trends to provide meaningful data to make informed decisions not just on cyber risk but also on strategic innovations and technologies. Adoption of new standards like FAIR require vetting, review and buy-in from existing enterprise risk management teams/functions.
Provides a technique to articulate the overall cyber risk posture and appetite to the enterprise on mission-critical services.

 

Many organizations lack skills and experience to perform cyber risk quantification effectively.
Helps educate leadership and management teams on cyber threats by understanding the value of assets (systems and data), then allocating resources. Educating leadership to move away from traditional heat maps into a new way of thinking by interpreting cyber risk financially.
Can provide greater insight into secondary impacts and costs, such as customer attrition rates, increased staffing costs due to the level of complaints, staff absenteeism due to the stress of incident response, etc. Measuring the fallout of cyberattacks in cases where datasets are not available may be difficult for organizations or industries not accustomed to effectively quantifying cyber risk without them.
Scroll to view full table

Looking for Help With Risk Management?

Using tools such as RiskLens, security professionals can evaluate which risk mitigation strategies are most effective in reducing cyber risk and present options to executive leadership based on cost/benefit analysis. Executive leadership and the board can improve their governance and oversight roles by making well-informed decisions about cyber risk when options and alternatives are presented in the familiar language of money.

Register for the webinar

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today