Quantifying cyber risk | Part 1
By Asha Abraham
Information and associated technologies are the lifeblood of a business entity today and the tangible assets that fuel our digital economy. In a digital world where technology domains converge to enable business at machine speed, cyber risk is the risk that technology, especially connected technologies introduce into your environment.
Technologies can be grouped into three distinct domains:
- Information Technology (IT); which is primarily business-oriented and deals with information. It includes computing resources and connectivity for processing and managing data to support organizational functions and transactions
- Operational Technology (OT); is industrial and deals with machines that affect the physical world. These are systems and related automation assets for the purpose of monitoring and controlling physical processes and events or supporting the creation and delivery of products and services. Examples include: traffic lights, power plants, oil rigs, manufacturing assembly lines and inventory management processes.
- Consumer Technology (CT); includes electronics intended for everyday use, typically in private homes, like devices used for entertainment, communications, and home or office activities.
According to the World Economic Forum’s The Global Risks Report, cyber-attacks rank among the top ten risks for businesses in terms of likelihood, and impact since 2018 and common threat communities we need to protect businesses against include: nation states, organized criminals, hacktivists and malicious insiders. Their motives and tactics evolve and what they target vary depending on what products and services an organization provides.
Security teams however, have a bad reputation for getting in the way of real business. To be able to protect the business, we must first accept that ‘security’ is a relative term. There is no absolute scale of security or insecurity. Both terms, ‘secure’ and ‘security’, have meaning only as attributes of something that is considered valuable. A few of the digital assets we consider valuable include – emerging information and communication technologies, industrial control systems, proprietary trading algorithms or product designs, advanced materials and manufacturing techniques, business deals information, strategy documents, audit reports, client account balances and transaction history, client settlement instructions, credentials/authentication information, and regulated datasets like Personally Identifiable Information(PII), Protected Health Information(PHI), Payment Card Information (PCI), etc.
Periodic cyber risk assessments allows an organization to understand, manage, control and mitigate cyber risk across its operational processes. It is one of the most critical parts of operational risk management, and also one of the most complex. As organizations rely more on information technology and information systems to do business, risk professionals have to be able to bridge the gap between technical and business teams to develop security strategies and controls maturity that enable cyber resilience.
In qualitative risk assessment, the focus is on stakeholder perceptions about the probability of a risk occurring and its impact on relevant organizational aspects (e.g., financial, reputational, etc). This perception is represented in scales such as “low – medium – high”. Since it has little mathematical dependency (risk may be defined through a simple sum, multiplication, or other form of non-mathematical combination of probability and impact values), qualitative risk assessment is easy and quick to perform, allowing an organization to take advantage of a user’s experience with and knowledge of the process/asset being assessed. When it comes to assessing cyber risk, most common methodologies in use today are ‘control checklists’ or ‘capability maturity models’. They provide inventories of controls that an organization can use to evaluate and benchmark itself against. They are also useful for identifying gaps in controls or to measure your progress against internal control maturity goals. They are time/resource intensive to produce and dated given they provide static point in time results. They don’t however tell you how much risk exists or how the changes in your threat landscape affect your controls maturity.
What we regularly overlook is the fact that controls are only valuable if they reduce loss event probability or magnitude so control categorizations we use should be able to account for how they impact probable loss event scenarios we want to protect ourselves against. Relevance of a deficient control condition will need to be determined in the context of a risk scenario where that control is relevant.
Another cyber risk analysis methodology I’ve used in the past qualified cyber risks based on a client’s most attractive assets from a threat actor’s perspective. This worked well for clients that were globally dispersed and wanted a quick, summarized visual of what their cyber risk profile looked like.
- A modified version of the FFIEC’s inherent risk scoring templates were leveraged to measure the site’s ATTRACTIVENESS (Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, etc.)
- The catalog of cybersecurity controls within the FFIEC CAT was used to evaluate the design and operating effectiveness of applicable controls and determine their overall CONTROL MATURITY.
- Expert opinions, audit reports, available security metrics, industry research and peer benchmarks were leveraged to gauge their THREAT Profile
Depending on how they fared on each of these dimensions we were able to visually represent their risk profile on a map. This format appealed to senior leadership teams.
Most of the cyber risk assessments performed today use qualitative analysis to indicate the residual risk exposure but subjectivity is one of the known flaws with qualitative analysis. The results of qualitative risk assessments are highly biased, both in terms of probability and impact definition, by those who perform it and may not be consistent when repeated or performed by different individuals. Also, words that are intended to describe quantities are open to differing interpretations According to an HBR study1 by Andrew and Michael Mauboussin: “When you use a word to describe the likelihood of a probabilistic outcome, you have a lot of wiggle room to make yourself look good after the fact. If a predicted event happens, one might declare: “I told you it would probably happen.” If it doesn’t happen, the fallback might be: “I only said it would probably happen.” Such ambiguous words not only allow the speaker to avoid being pinned down but also allow the receiver to interpret the message in a way that is consistent with their preconceived notions. Obviously, the result is poor communication.”
We can’t trust people to interpret verbal descriptions of likelihood or impact similarly – “Always” doesn’t always mean always!
Heatmaps are another very popular option to qualify cyber risk. The problem with heatmaps is that it reduces our ability to express uncertainty about future events. It forces false precisions every time we choose a single rating when we know the realistic outcomes may span multiple ranges. It is also possible to have scenarios that appear roughly equal receive different ratings due to the way heat maps are constructed. It’s difficult to prioritize one scenario over another if we cannot decide from between the most cost effective remediation strategy for either of them.
Common cyber risk statements are very broad (For example: one of the top 5 risks of an organization was stated as ‘third party risks’!) which makes it very difficult to quantify value-at-risk in financial terms. Another common drawback is that the residual risk model for cyber can vary from the one used for operational risk within an organization and could require the use of end-user-computing applications like macro-enabled spreadsheets or Access databases both of which increases complexity and further increases risk exposure.
Quantitative risk assessment, on the other hand, focuses on measurable data, and highly mathematical and computational bases, to calculate probability and impact values, normally expressing risk values in monetary terms, which makes its results useful outside the context of the assessment (loss of money is understandable to any business unit). To reach a monetary result, quantitative risk assessment often makes use of concepts like:
- SLE (Single Loss Expectancy): money expected to be lost if the incident occurs one time.
- ARO (Annual Rate of Occurrence): how many times in a one-year interval the incident is expected to occur.
- ALE (Annual Loss Expectancy): money expected to be lost in one year considering SLE and ARO (ALE = SLE * ARO).
The second part of this blog post will look at quantifying cyber risk more closely. So stay tuned!