A survey of 1,200 large organisations representing US$125.2 billion in annual cybersecurity spending, with US$19 billion spent in Asia Pacific, the ThoughtLab 2022 Cybersecurity Solutions for a Riskier World report revealed that 29% of CEOs and CISOs and 40% of chief security officers admit their organisations are unprepared for a rapidly changing threat landscape.
See risk through quantification
David Ng, area director of Asia at SecurityScorecard defines risk quantification as a mechanism to interpret risk assessments, which are often qualitative, to quantitative metrics that are unilaterally understood by the business.
He adds that in the cybersecurity domain, these risks are often characterised by the type of breaches a company experiences like a data breach, insider threat, or ransomware event.
"Risk Assessments are usually control-based assessments that check to see whether certain security measures, like enterprise MFA, are implemented within the organisation. Risk assessments are a baseline input into risk quantification."
David Ng
Triggers for running risk quantification
While risk quantification can help organisations understand the financial impact of risks and make informed decisions as to how much resources to allocate to mitigate scenarios, it does involve costs on its own.
It, therefore, makes sense to know what conditions warrant undertaking risk quantification. Ng says the most common use case is for board reporting and that tends to occur quarterly.
"If you are buying cyber insurance, it might only be performed yearly. If you are using cyber risk quantification to inform security investment decisions, you might be performing this type of analysis on a monthly or more frequent basis.
"However, I think we can all agree that risk, especially cyber risk, continuously evolves and we hope that organisations continue to incorporate cyber risk as a holistic part of their enterprise risk program, where risk quantification will be conducted continuously," explains Ng.
When to know you need risk quantification
Ng says an organisation should ask itself how successful they are at communicating the nature and impact of cyber risk.
"Do security leaders feel like their voices are heard and requests are adequately prioritised? Suppose a security team is struggling to get sufficient acknowledgement from the rest of their organisation. In that case, they should consider cyber risk quantification as a tool to help them better resonate with their peers," he explains.
For some countries, cyber risk quantification is becoming a regulatory consideration. In the United States, the Security and Exchange Commission (SEC) has proposed that business leaders move away from divorcing the cybersecurity conversation from their business conversations.
"Cyber risk quantification is a tool that helps bridge the gap between security and business teams," posits Ng.
Not all risk quantification approaches are created equal
There are multiple approaches to performing a cyber risk quantification assessment. There is no standard in the market for performing a cyber risk quantification analysis and organisations will have to judge which solutions match their view of cyber risk.
"Traditionally cyber risk quantification has been performed by experts who arrive on-site and gather information about the organisation's assets and security controls. These assessments can take weeks to complete and only provide a snapshot of the presently expected losses," noted Ng.
"Solution providers are now offering software-based cyber risk quantification to automate most of that work. These providers are using statistical modelling or machine learning approaches to create models that perform the calculations – fully automated continuous solutions continue to gain the most market traction."
"Within this category of solution providers, we see a lot of differentiation as well. Some use methodologies like FAIR (Factor Analysis of Information Risk) and others employ proprietary techniques that simulate an attacker's path to dealing damage," says Ng.
What to ask when shopping for the right risk assessment
Ng offers several questions, CISOs and decision-makers may need to ask themselves and service providers to identify what is right for them:
- How well does the output compare against real-world results?
- What information must the user provide to perform the analysis?
- What kind of implementation activities must the user complete before being able to perform cyber risk quantification?
- Will the cyber risk quantification provide recommendations on where to focus risk reduction efforts?
- How much time does it take to perform a single analysis? How often can it be performed cost-effectively?
Final thoughts
Ng says the primary buyer of risk quantification solutions falls in the hands of the CISO. However, he opines that depending on the organisation, the CISO may ask that data science colleagues participate in evaluations to test the rigour of any models being used.Â
"Your journey to adopting cyber risk quantification can start small. You can wait to make significant investments in cyber risk quantification once your organisation is bought into the concept and started to incorporate it within decision-making."
David Ng
"For example, you can use industry or publicly available research to do some relatively simple calculations that help you understand the magnitude of your potential losses," he suggests. "As stakeholders welcome a more refined analysis you can start adopting cyber risk quantification solutions that don’t require any implementation investments.
"Once you are ready to fully operationalise the enterprise-level cyber risk quantification solutions, you can increase your investment in this capability," he concludes.
In a blog post, John Chambers, Cisco chairman emeritus and CEO of JC2 Ventures, cybersecurity Risk Management is at a crossroads. "The future needs to be automated proactive cyber risk management. Business leaders first want to understand their threat landscape and how well they compare against the market and their peers. Beyond what the risk is, businesses need to learn how to mitigate and manage cyber risk," said Chambers.
* Editor's recommended: PodChats for FutureCISO: Risk quantification strategies in 2023