My first book, Corporate Espionage, released in 1997, had a chapter devoted to risk optimization. It discussed risk quantification and risk optimization long before they became the buzzwords they are now. It took more than 20 years for Gartner and Forrester to start officially covering the concept as a unique market within cybersecurity. While I appreciate that something I have been advocating for more than 25 years has begun to be accepted as an integrated part of a cybersecurity program, it is poorly understood, which allows for mediocre products and implementations.
Why I Differentiate Between Risk Quantification and Risk Optimization
To give a very simple working definition, cyber risk quantification (CRQ) is basically the monetary value of the potential loss from a cybersecurity perspective. It is pretty simple. That involves determining the value of the information and services that are computer based. I will go into a bit of detail later, but again the concept is simple, even though coming up with a reasonably accurate number is very difficult.
There is also the concept of cyber risk exposure, which incorporates the probability of the quantified risk. So for example, if you quantified $100M of cyber risk, and your exposure is likely 20%, this means that your exposure is $20M. Sometimes the terms are used synonymously, but you should know the difference. Either way, cyber risk quantification/exposure is about the potential loss an organization can experience.
Cyber risk optimization, which I have been advocating for 25 years, involves taking your cyber risk exposure and determining which countermeasures would be the most cost effective for your organization. In other words, you look at the financial impact of a given vulnerability, and you then determine if the countermeasures to mitigate the vulnerability provide a good return on investment. In other words, optimization makes cyber risk quantification useful.
Cyber Risk Quantification
It is important to note that there are different ways to perform cyber risk quantification. Some organizations offer software-based solutions, where you enter data into a system, and it creates an estimation of cyber risk quantification. Some software solutions provide some sort of index score. In other words, they create their own arbitrary scale, such as a number from 1–100. They will say that your CRQ is a 53, for example. OK. I guess it’s good for tracking trends, but it doesn’t give any hard value. Other organizations will give you a dollar value, which does make a better business case.
The accuracy of CRQ depends upon the data sources and the mathematical models. You will hear a lot of people tout machine learning here, and be aware that machine learning is really just the use of advanced mathematical techniques. The CYE Hyver platform, for example, uses data from multiple insurance companies, regulatory information, geographical considerations, and most uniquely, detailed data about organizational vulnerabilities to understand the true level of risk quantification. We’ve tuned the models and data sources to within 7% of actual measures of losses, when we’ve compared it to actual losses experienced by organizations and manually performed quantifications.
As implied in the last paragraph, the other way to perform CRQ is with an expensive consulting engagement. You can bring in organizations that do this type of work, such as Big 4 firms, and they gather information and put together studies to estimate CRQ. While in theory these consulting efforts can be more accurate, they are expensive and can take months. Given the speed of information, a study that takes months is not going to be accurate for long. Likewise, it is expensive to reperform to see if there is improvement.
Perhaps my biggest problem with CRQ efforts is that they are great for providing pretty pictures to management, but not much else. This could be all that is necessary, as sometimes management just wants to have something to prove that they are doing some oversight. And to a certain level, this satisfies the requirements.
Some CRQ tools provide recommendations to say that based upon past information, a company might want to put more funds into some efforts over others. Those suggestions tend to be broad generalities and lack specific recommendations.
For now, that’s CRQ. I will address how to use CRQ for cyber risk optimization—where I think every organization should be—in my next column.
Want to learn more about how to choose a cyber risk quantification strategy? Download our guide.