Quantification of Risks is not something new to organizations. They have been quantifying their financial risks for a long time. For example, financial services organizations quantify the credit risks from their customers who hold credit cards, banks quantify the risks of bad loans and so on.
But when it comes to CyberSecurity, there are only a few organizations who practice Cyber Risk Quantification properly. As per Deloitte’s 2019 Future of Cyber Survey, half the C-suite executives responded that they use any quantitative evaluation; while the other half still depend largely on the manual approach - experience of their CyberSecurity experts or maturity assessments.
According to the World Economic Forum's Global Risks Report, “Data fraud, data theft, and Cyberattacks as among the top five biggest risks the world faces." A complex Cyberattack can tarnish the brand of the strongest organization as well as cause other financial impacts like regulatory fines, loss of customer, loss of future business and trust, etc. For example, in a recent data breach of the Marriott, 5.2 million guests were impacted, exposing PII including names, genders, phone numbers, travel information, and loyalty program data. In another case, as part of a global settlement Equifax Inc. had to agree to pay at least $575 million, and potentially up to $700 million, with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories.
Cyber Risk Quantification can help Security leaders and Information Security teams achieve robust CyberSecurity and convince management about the importance of CyberSecurity by using the language that the business understands. There are many other advantages of quantifying Cyber Risks.
In this article, we have covered six reasons why organizations need to quantify their IT and Cyber Risks.
Even if organizations are investing in CyberSecurity, there has been a surge in the number of Cyberattacks. According to a recent study conducted by Ponemon and Tenable, more than 90 percent of respondents report experiencing at least one damaging Cyberattack over the past two years, and 60 percent have had two or more.
There are many reasons for the increased number of attacks:
Adoption of new technologies like cloud, AI, IoT, etc which is required to achieve business goals in competitive business environments, has changed the attack surface of organisations. This has created many low hanging fruits for hackers to exploit.
Unbalanced CyberSecurity portfolio: Organizations are heavily invested in prevention technologies to avoid Cyberattacks –without thinking of the scenarios once they are breached. There’s not enough investment made in recovery and response to Cyberattacks.
Hackers are getting smarter: As CyberSecurity technologies are getting matured with time, hackers are getting smarter as well. They are trying to find loopholes and targeting the weakest link of the CyberSecurity ecosystem – people- using sophisticated social engineering attack techniques.
Lacking the ‘Cyber Everywhere’ mentality: Considering CyberSecurity as the sole responsibility of the IT and security teams is one of the biggest mistakes organizations can make. CyberSecurity should be promoted from the very top of the organization and practiced by the board and management. CyberSecurity is everyone’s responsibility in an organization. Organizations need to proactively invest in right set of technologies to achieve a balanced security portfolio and train their employees based on their roles and responsibilities. Cyber Risk Quantification will help in choosing the right set of investments at the right time, based on the impact of the risk, and its probability to cause a breach- by considering all the financial and non-financial factors.
Knowing the impact of risk in dollar value helps organizations prioritize the risks and investments accordingly. Historically, security leaders have utilized qualitative measurements to prioritize risks, but those measurements are questionable in terms of value outcomes:
• How much is the risk in total?
• How much more is the top risk (#1) than the second one (#2)?
• Is the difference between risk #1 and #2 the same as between risk #2 and #3?
• What’s the criteria to classify a particular risk as high/ medium/low?
• If resources are applied to a particular risk, say risk #1, how much less risk will this result in and how would you defend those results?
Risk Quantification can help organizations understand the Risk Exposure and impact. Based on this information, businesses can take decisions either to pass the risk (by purchasing Cyber Insurances), forgo (when investment required is more than the dollar value impact of the risk) , or take actions depending on their risk appetite.
Organizations are heavily invested in technologies for the identification and protection of breaches, despite the overlap of capabilities. With Cyber Risk Quantification, organizations can answer questions like “where to invest”, “how much investment is good enough?”. This will lead to effective utilization of resources by minimizing the duplication of technical capabilities and investments in the right technologies at the right time, based on the risk priorities.
Being Cyber Resilient helps organizations to recover and better respond to a cyber breach, quicker. Quantification of Cyber Risks will help in making an informed decision about Cyber Insurance purchase. It will give you an idea about the risk you should cover in Cyber Insurance and what premium should be paid. Understanding the dollar amount of risk provides a measure for indemnification when deciding on coverages of Cyber Insurance as a remediation option – helps in making informed decisions about the Cyber and IT Risks and supports the organization in its Cyber Resilience journey
One of the toughest tasks for Security leaders is to communicate CyberSecurity to board members who might not understand the technical know-how. Effective communication of CyberSecurity is important because:
• It facilitates clearer understanding of CyberSecurity for the board and helps build trust and gain their support.
• Board members are more likely to approve the security budget based on their understanding of the organization’s CyberSecurity needs presented.
Generally, board and management-level presentations about Cyber Risk are based on FUD (Fear, Uncertainty and Doubt), that doesn’t help in better business analysis or effective decision-making. Cyber Risk Quantification is one of the best ways to communicate the CyberSecurity in business terms. By quantifying Cyber Risks, you can inform the board about the dollar value loss of a particular risk in case a breach occurs. It also helps in justifying the security investments by providing risk reduction vs security investment data.
A mature CyberSecurity program in place does not only protect the organization from Cyberattacks but can also work as a competitive advantage for organizations. By investing in Cyber Risk Quantification (CRQ), organizations can achieve Cyber Maturity faster than their peers, and build the trust with customers/ partners/ vendors who exchange critical data with the organization. Looking at the increasing financial impact of Cyber Breaches and Regulatory Fines, organizations need to have a better measurement and articulation of business impacts of a Cyber Breach. The bottom line is that every element of a CyberSecurity program- personnel, policies, processes, and technologies – impacts the magnitude or probability of an attack scenario. It’s important to understand the impact of each element for effective Risk Management and resource allocation. Only quantification of Cyber Risks can help you to understand the exact impact of each element and value to be gained (in terms of risk reduction) from CyberSecurity investments