Article

Evolving cyber risk management with quantification

James Arthur James Arthur

Too often, cyber risk management is based on instinct rather than solid intelligence. James Arthur summarises our recent webinar on putting the data into cyber security. 

On 3 December, business leaders from a variety of sectors attended our virtual discussion on the future of cyber risk management. Andrew Bonillo from the Ciena Corporation joined myself, Vijay Rathour and Darren Brooks to explain how to put a real cash value onto the risks of cyber attack and compare it to your cyber security spend.

Cyber risk quantification measures and reports the risk of cyber threats in concrete financial terms, and it's changing how businesses manage cyber risk. It's a smart move, allowing you to make risk transfer decisions on the basis of facts, not just beliefs.

Cyber risk management based on fact

The majority of cyber security management frameworks recommend taking a risk-based approach to the management of cyber security threats. However, there is far less consensus on the precise mechanics of implementing a risk-based approach.

During our webinar, we polled our attendees on who was responsible for reporting to their board on cyber risk. The results showed a wide range of answers, perhaps explaining why many organisations struggle to make business decisions on cyber security. When strategy is based on personal opinion, rather than unbiased data, it can be hard to reach a consensus on business decisions.

Traditionally, boards relied on the opinion of a CISO, based on a simple cost calculation of how many operating days could be lost during a cyber attack. However, the equation is far more complex, covering loss of data, reputational issues and even regulatory compliance.

Indeed, nearly 44% of our webinar's attendees said they had made decisions about where to invest in cyber security based on compliance requirements.

FAIR use of data

Taking a quantitative approach has been possible for a number of years using methodologies such as Open FAIR™ (Factor Analysis of Information Risk) from the Open Group. However, these have been difficult to implement as they require the organisation to have an advanced understanding of the threats they face, the probabilities of those threats manifesting and the cost impact of a security event.

However, by creating a database of historic cyber security events, you can inform your approach to cyber risk management. This kind of risk quantification allows you to put a real, cash value on the cyber threats you're facing; one that can be directly compared to the cost of investment in cyber security.

BaFin in Germany already requires German banks to do this to stay compliant. Meanwhile, the US SEC provided guidance recommending cyber risk quantification back in 2018.

The advantages of cyber risk quantification

Using cyber risk quantification, you can easily explain your cyber security to stakeholders, even if they aren't familiar with the technology. A simple question of 'are we comfortable with £X million of potential losses if we don't invest £Y million in this security tool?' can make all the difference in your conversations.

You can even set a security budget on each of your cyber security tools. If they aren't providing the expected return on investment, then it's time to review their use.

Where cyber security isn't preventing attacks, perhaps you need to increase your investment. And where the expected threats aren't materialising, you can scale back that investment. This will also help you determine what level of threat insurance we need. 

The need for quantification in cyber risk management also applies to your supply chain. A staggering 87% of those who attended our webinar admitted their cyber risk management of their suppliers was based only on subjective controls without data backing.

This becomes essential for decentralised organisations that are opening themselves up to cyber threats by spreading out. Identifying where cyber threats are taking their toll is essential to cyber risk management for decentralised firms.

All of this serves to put a real financial value on your firm and the organisations you work with. This can even factor into your M&A due diligence, letting you identify poor cyber security hygiene in acquisition targets.

Making cyber risk management easy

Seeing the value of cyber risk quantification, our team wanted to make it a viable option for any business. Automation was the obvious answer. That's why we created our Digital Risk Quantification platform, based in X-Analytics, which can quickly assess your cyber security and quantify the financial losses associated with your cyber threats.

For a demonstration of the tool or help quantifying and managing your cyber risk, get in touch with James Arthur.

Webinar on demand
Evolving from belief-based cyber risk management to cyber risk quantification Request access to the webinar