CYE Insights

Traditional Cyber Risk Quantification Models Don’t Work. Here’s Why.

August 18, 2022

Traditional Cyber Risk Quantification Models Don’t Work. Here’s Why.

The Cyber Risk Challenge

It’s no secret that there are more cyber threats than ever before. No matter how fast organizations upgrade their defenses, attackers outpace them. They grow more creative and aggressive by the day. And as the attack surface expands due to massive migration to the cloud, increased use of operational technology (OT), and digital transformation, cybersecurity can feel like a losing game. In fact, experts predict that cybercrime will cost the world $10.5 trillion annually by 2025.

Which threats should your team tackle first? Where should you put your security investments? In the past, qualitative guesses were almost good enough. However, today’s world calls for quantification: measuring IT and cyber risk exposure in terms of the probable monetary impact to your organization.

Needed: Not More Data, but Better Models

The problem is too much information. The billions of dollars spent annually to identify external and internal risk result in a firehose of information that overwhelms SOC teams, internal security executives, and analysts.

What’s needed is a better way to consume the data you have, parse it, and get a simple, actionable monetary risk score that can be used when communicating with executives – especially important because 50% of IT leaders say the board and C-suite do not understand cyber risk. The answer is cyber risk quantification models.

Traditional Cyber Risk Quantification Models

Cyber risk quantification models employ multiple steps, many of which are labor-intensive and most based on probabilities. In general, the process is as follows:

  1. Define which assets to consider– including on-premises, on the perimeter, in the cloud and OT.
  2. Next, identify each likely threat to each asset, calculate the probability of its occurring, and determine the potential damage that could occur if successful.
  3. Calculate the damage to productivity, competitive advantage, or reputation, as well as the cost of responding, replacing assets, and paying fines and judgments.
  4. Determine how vulnerable each asset is to each threat: how strong are your defenses, controls, and processes?

Once all of this is done, the cyber risk quantification model yields a financial risk metric which allows you to compare various options and invest security dollars wisely.

Weaknesses in Traditional Cyber Risk Quantification Models

Weaknesses in traditional cyber risk quantification models include time, cost, and subjective decisions. First, probabilities: you must determine the frequency of threat events occurring, the capabilities of each threat, and the strength of your defenses and controls. Inaccurate estimates can yield unusable information.

Second, it is difficult to predict the magnitude of loss that could occur to assets, including the cost to detect and escalate, notify stakeholders, perform post-breach response, and deal with lost business.

Third, traditional cyber risk quantification models treat vulnerabilities as equally risky. In reality, some very prevalent threats may not pose a real threat to your business. Others might be minor, but a hacker exploiting a few minor threats together can yield a devastating result.

Fourth, traditional models often result in “guesstimates” of the likelihood and magnitude of potential loss, based on a guess as to what vulnerabilities are most important and probable. Rather than whittling down a massive amount of data, they make assumptions about what information is important, and may cause your team to chase down issues that do not really put your critical assets at risk.

Finally, the results of cyber risk quantification can sometimes be difficult for the C-suite and board members to understand.

CRQ Considerations

When evaluating a cyber risk quantification model, take into account four key factors.

1 – Quality of the Data:

The model should utilize data customized to your specific company, industry, and location. It should access historical data when predicting loss factors (relieving your team of the challenging task of gathering all that data). It should be based on risk context, quantifying what specific vulnerabilities real hackers could use to compromise your business-critical assets (“guesstimates” are not acceptable here!) This cuts through the noise and reduces the amount of data your team needs to deal with.

2 – Financial Context:

The model should account for the financial cost of a breach to each asset, including productivity loss (lost revenue, lost wages); loss of IP, trade secrets and other differentiators which lead to a weakened competitive stance; and loss to reputation (reduced market share, decreased sales growth, impacts to the stock price, etc.) as well as the costs of incident response, asset replacement, fines, and judgments. This assessment should be based on financial context, ranking a low-impact threat to a high-value asset as higher priority than a high-impact threat to a low-value asset.

3 – A 360 Degree View:

An optimal model will not limit its assessment to well-known and well-documented assets, but will evaluate cyber risk in multiple environments including on-premises, cloud, perimeter, and OT. It weaves together all the threads that relate to a wide variety of assets, threats, and potential costs.

4 – Business-oriented:

The model should help your team present a cybersecurity plan to the board, in terms that are easy to communicate to executives. The result of the model should be ratings that translate technical risks into business risks, correlating asset value, severity of threat, and threat actor activity.

In summary, an accurate, useful cyber risk quantification model lets you make optimized cybersecurity investments that take into consideration both the cost of a possible breach and the likelihood that it will happen. This saves you time and money – while reducing the chance of a cyber incident.

Want to learn more about effective cyber risk quantification? Contact us for more information.