How to measure cyber risk: The basics of cyber risk quantification
Today’s organizations rely on metrics more than ever before. Yet when it comes to metrics, few are as important as cyber risk. Having the ability to measure cyber risks is critical for making informed security investments, and implementing the controls necessary to minimize the risk of a data breach.
Failure to understand the level of risk in the environment leads to dangerous vulnerabilities that can cause millions in damage.
Despite this, most organizations are still falling short of understanding their risk exposure. Research shows that just 50% of IT leaders and 38% of business decision makers believe the C-suite completely understand cyber risks.
This isn’t for lack of trying either, with Gartner reporting that security and risk management leaders are increasingly investing in cyber risk quantification for enterprise decision support, though only 36% report concrete results.
To some degree, the challenge of quantifying cyber risk is subjective, with organizations identifying a different level of risk depending on how they define cyber risk, as well as the methodologies and data signals they use to measure it.
But what is cyber risk exactly?
In simple terms cyber risk is the level of risk-posed to an organization in the event of a cyber attack.
Under the Fair Analysis of Information Risk (FAIR) quantitative risk model, risk management is defined as “the combination of personnel, policies, processes and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure.”
Organizations need to have the ability to measure this risk not only to ensure the overall security of their environments, but to ensure they aren’t overspending on ineffective controls.
James Turgal, vice president of cyber risk, strategy and board relations at MXDR provider Optiv, highlights that “cyber risk quantification should be an essential part of all enterprises actions to understand and measure the risk posed to that enterprise in the event of a cyberattack occurring.”
Turgal notes that enterprises can use cyber assessments defined by entities like NIST to define the most important technology assets, ascertain what impact a data breach would have on the business, understand the likelihood of exploitation, and ensure an acceptable level of cyber risk.
Frameworks for Measuring Cyber Risk
When it comes to measuring cyber risk, there are many frameworks and methodologies that enterprises can choose from including the Fair Analysis of Information Risk (FAIR), NIST Cybersecurity Framework (CSF) and the Risk Management Framework (RMF).
Out of the available frameworks, many regard FAIR as the most comprehensive for providing a set of standards and best practices to help measure and mitigate information risk throughout an enterprise environment.
Unlike other frameworks, such as those offered by NIST, ISO, OCTAVE, and ISACA, FAIR provides organizations with more guidance on the process of mitigating risk, rather than leaving them to determine their approaches and fill security gaps.
Other frameworks like CSF provide a more limited scope for identifying a company’s risk tolerance, helping security leaders to define roles, responsibilities and processes to minimize risks throughout the environment.
For example, this includes how to implement controls to manage identities and credentials, remote access, secure data in tranzit, reduce the likelihood of data leaks and to detect malicious code.
Similarly, the RMF provides a simple seven-step framework for securing modern and legacy IT systems and technologies.
Core steps of the RMF include preparing essential activities to equip the organization to manage security and privacy risks, categorizing systems and information stored, processed or transmitted (based on impact analysis), implementing NIST SP 800-53 controls, and documenting controls long-term.
What about organizations that are struggling to quantify cyber risk?
With so many risk management frameworks to choose from, many organizations are looking toward risk calculators to help identify their exposure to threat actors.
Recently, risk quantification provider Safe Security, launched a free risk calculator called the Safe CRQ Calendar that uses its own predictive research model to analyze the industry of an organization, and determine the probability of a breach over the next 12 months.
Safe Security’s Safe CRQ Calculator expedites the risk quantification process by quickly highlighting the organization’s industry’s cyberattack exposure is, the rate of ransomware attacks that occur in the industry, and the potential financial impact of a breach.
As senior vice president of AI and cyber insurance at Safe Security, Pankaj Goyal explains, Safe CRQ Calendar provides a solution that enterprises can use to convert external and internal cyber signals into a mathematical model, that can translate a technical risk calculation, into a concrete financial value of business risk.
For Goyal, success “lies in the depth and quality of signals. Signals should be real time and comprehensive across the attack surface. We collect signals across the attack surface (people, process, technology) through APIs in an automated way,” Goyal said.
In many organizations, the calculations offered by a prebuilt risk calculator can also be more accurate, particularly if they’re based on a wider array of data signals.
For instance, the CRQ calculator combines publicly available data from sources including SEC filings, regulatory reports, insurance reports and budget reports on over 1,500 incidents over the past 10 years, to develop its risk model. This provides a wider array of data signals than organizations using a less optimized risk model.
The changing role of the CISO in managing cyber risk
For CISOs, an increasing component of managing risk in the enterprise is the growing responsibility to ensure the business success of the organization as a whole.
In fact, Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026. Naturally, this shift will call for CISOs to rethink how they manage cyber risk.
As research director at Gartner, Sam Olyaei explains, “The CISO role must evolve from being the “de facto” accountable person for treating cyber risks, to being responsible for ensuring business leaders have the capabilities and knowledge required to make informed, high-quality information risk decisions.”
In this sense, the role of the CISO in managing cyber risk won’t take a “narrow” focus on checking off cyber risks, but playing an active role in equipping key stakeholders and decision-makers with the information they need to balance the management of cybersecurity risks alongside the fulfillment of key business objectives.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.