What is Cyber Risk Quantification?
Cyber risk quantification is the process of calculating an organization’s risk exposure and the potential budgetary impact of that risk in business-relevant terms. In other words, it describes cyber risk in monetary terms.
Cyber risk quantification is essential today. With the cost of cybercrime rising rapidly and predicted to reach $10.5 trillion by 2025, executives have increased their expectations. They now expect security leaders to not only ensure organizational cybersecurity, but also to justify the costs. Yet in most organizations there is a misalignment between security strategy and business objectives, and the security team often does not communicate effectively with the C-suite and the board. As a result, security leaders struggle to make business leaders understand that security is a business enabler rather than an unnecessary expenditure.
Cyber risk quantification has recently gained traction as a way to bridge the gap between the security and business realms. However, it is a poorly understood concept. Early attempts at cyber risk quantification involved simply filling out a checklist or questionnaire. In reality, it is a much more complex process, made doubly difficult when trying to calculate the potential financial and business ramifications of possible cyberattacks.
Why Cyber Risk Quantification is Necessary
Cyber risk quantification fulfills a key function in organizations: it bridges the gap between technical and business discussions. It allows business decision makers to understand the impact of cyber threats and helps security teams prioritize remediation efforts. Armed with the results of cyber risk quantification, business owners, CFOs, CEOs, and boards can understand the organization’s risk in monetary terms. The use of a common language lets both technical and business leaders prioritize spending and measure the overall effectiveness of the cybersecurity program.
The practice of conducting cyber risk quantification is not just good business: it will soon be the law. The U.S. Securities and Exchange Commission recently proposed stronger rules for reporting cyberattacks, with the expected outcome of increasing the accountability of senior management for cybersecurity. The board and executives will now need to increase their knowledge of cybersecurity not only from a technical point of view but also in terms of risk and business exposure. They will need to quantify and manage corporate risk at a scale never before seen.
Cyber risk quantification will not only empower the board and C-suite to see the risk landscape; it will also enable the security team to make cybersecurity decisions in the context of business imperatives. They will be able to determine which risks pose the biggest threat to the organization’s business, and what the expected economic loss would be. Based on this information, they can assess current security investments and prioritize the steps needed to reduce cybersecurity risk.
What a Cyber Risk Quantification Strategy Entails
A cyber risk quantification strategy involves understanding precisely which threats are present or will likely occur in the cyber landscape, and what business assets are at risk. A thorough assessment involves multiple steps. Many are difficult to carry out, and most are based on probabilities. The basic process is as follows:
- Map out critical business assets and their value. Include all environments: on-premises assets, those on the perimeter, assets in the cloud, and operational technology (OT).
- Identify each likely threat to each critical asset and calculate the probability that it will occur.
- Determine the potential damage the business would incur if the threat were successful.
- Calculate damage beyond immediate costs, including productivity loss, brand and reputation damage, and the cost of responding, replacing assets, and paying fines and judgments.
- Finally, determine the vulnerability of each asset to each threat. This involves assessing the strength of your defenses, controls, and processes in the event of an actual threat.
Once the cyber risk quantification model has all the above information, it will report a basic financial risk metric that allows the team to compare various options when planning security investments and remediation.
“Seeing the breakdown of costs – and the timeline of when they would need to be paid out – helps companies plan for such expenditures and better understand how their cyber exposure figure was calculated.”
Inbar Ries, Chief Product Officer at CYE
The Problems with Traditional Cyber Risk Quantification Tools
Several cyber risk quantification tools have come onto the market in recent years, but they are largely manual and subjective, producing misleading risk scores that don’t reflect the real-world security posture of the organization and don’t account for the dynamic landscape that is cyber threats. A security team that bases its assessment on faulty or inadequate results can easily waste time and money prioritizing defenses against threats with no material impact on the business.
Traditional cyber risk quantification tools lack four key components:
Risk Context:
Many traditional tools are unable to correctly estimate which vulnerabilities an attacker is most likely to exploit. Without proper context, the team can lose focus and spend energy addressing vulnerabilities that are unlikely to be exploited.
Financial Context:
Many traditional tools include only direct costs, failing to account for costs related to detection and escalation, notification, post-breach response, or brand impact. Many also ignore the secondary costs of “vendor impact” where, for example, a business sells software that is responsible for a data leak, which can result in lawsuits.
Breadth:
Cyber risk quantification models need to look at all parts of the organization, including on-premises, cloud, perimeter, and OT. Traditional tools generally only focus on one part of the organization, resulting in “guesstimates” as to which threats are most likely to impact critical data.
Coherence:
Lots of tools generate data, but data does not equal visibility; rather, too much data from too many tools creates a firehose of information that can overwhelm the security team. As the attack surface increases over time due to migration to the cloud, increased use of OT, and digital transformation, traditional tools can only leave the security team overwhelmed and unable to obtain the remediation guidance needed to reduce risk.
Characteristics of Effective Cyber Risk Quantification Models
A truly effective cyber risk quantification model understands and parses the data, deriving a risk score that has meaning and is easily communicated to the C-suite and the board. It takes into account constantly evolving and newly emerging threats, providing built-in automated and continuous visibility into the cybersecurity landscape.
Once the required information (assets and value, likely threats and probabilities, potential damage, and vulnerability of critical assets) is plugged into the model, the immediate output is a metric indicating organizational risk. At this point, optimal cyber risk quantification models will also incorporate data to assess the attack likelihood for each business asset, calculating the specific probability of each business asset being breached and the associated cost.
Highly effective cyber risk quantification models will map out possible attack routes to each critical asset along with their probabilities. Using AI, the model will consider all relevant data: this includes multiple factors such as type of attacker, business assets at risk, the environment and current threat landscape, and the impact of vulnerabilities.
The model should provide realistic views of all possible attack routes. This level of visibility helps the security team reduce overall exposure, prioritize actions, and take proactive measures to reduce the likelihood of becoming a cyberattack victim. Perhaps most importantly, the model should prioritize vulnerability and problem mitigation efforts based on the extent to which they actually reduce risk. This makes it possible for CISOs and security professionals to stop relying on ineffective severity-based (or in many cases gut-based) approaches for prioritizing mitigation, which are detached from risk modeling.
Quantifying the Cost of a Data Breach
Quantifying the cost of a data breach is no longer a simple matter of multiplying containment costs by the cost of regulatory fines, as insurers often do to predict loss. Factors and focus matter.
Factors to include:
- The cybersecurity posture of the organization
- The entire attack surface
- Direct and indirect costs – e.g., website downtime, customer churn, lost productivity
- Related third party costs – e.g., reporting requirements, legal fees, lawsuits
Focus:
- Keep focus on the most critical/expensive assets, at highest risk
- Calculate asset value based on revenue, industry, historical data, and specific costs to the company (asset value, associated breach costs such as customer churn, downtime, lost IP)
- Prioritize mitigation based on cost to the organization as well as the cost to reduce threats
- Use a cyber risk quantification model with a built-in, continuously updated breach calculator
“Companies need to think about the worst-case scenario if any parts of their businesses are attacked and put a dollar value on it.”
Reuven Aronashvili, Founder and CEO, CYE
Benefits of Cyber Risk Quantification
Cyber risk quantification yields a wealth of both tactical and strategic benefits. They include:
Resource and budget allocation
Cyber risk quantification lets the organization better understand the cost of threats and their eventual remediation, informing investment decisions. For example, the ROI of specific cybersecurity programs can be demonstrated through measurement of the extent to which they reduce the level of breach risk. This can help justify future security investments.
Action plans
Cyber risk quantification equips the team to prioritize mitigation planning in full alignment with financial and business impact. A thorough understanding of which critical assets are specifically at risk, as well as the attack routes, breach and mitigation costs, enables the organization to plan and prioritize prevention and mitigation plans. Closing specific key cyber gaps to avert those attacks is a more efficient method than simply employing blanket solutions.
Communication
A key benefit of cyber risk quantification is that it defines the organization’s security posture in financial and business terms. When a common language bridges the security and business realms, management can better understand the organization’s risk posture and make more informed decisions about reducing risk. Cyber risk quantification equips the executive team to answer key questions such as:
- Are we secure, based on the actual vulnerabilities that are worth addressing?
- Are we spending enough, and in the right places?
- Are our investments effective?
Risk that is quantified can be reduced. This is key to changing the perception that security spending is just a cost; now it emerges as a business enabler.
Overall Improved Security
Cyber risk quantification, done right, makes the organization as a whole more secure. It provides the ability to track, report, benchmark, and optimize the security effectiveness of the security team’s efforts. By reducing risk, improving security investments, and prioritizing mitigation efforts, it helps the organization save both time and money.
Cyber Risk Quantification with CYE
CYE’s optimized cyber risk quantification platform, Hyver, delivers all the above benefits of cyber risk quantification. It turns complex investment decisions into simple equations, enabling security leaders to determine realistic cybersecurity investments that consider both the cost of a possible incident and the cost of remediation. Resulting mitigation plans prioritize actions according to specific business considerations and goals such as fiscal impact, security maturity, and loss exposure.
Hyver produces a risk calculation backed by data from numerous real-world security assessments. Because Hyver generates much of the data itself, without relying on the organization’s input (like many other risk quantification tools), the result is an objective, reliable calculation rather than a subjective assessment.
With Hyver’s cyber risk quantification, security teams can communicate cyber risk in business terms. This allows management to make informed decisions about reducing risk, fully aware of the costs and benefits. Decisions are based on facts instead of guesses.
Finally, Hyver’s cyber risk quantification helps organizations understand their true cyber risk, identifies possible attack routes, and determines the key cyber gaps that must be closed. This lets security teams track, benchmark, and optimize their security investments. With a clear view of investments and expected ROI, teams can focus on what matters the most for the organization.
