How to quantify cyber risk

Written by Malcolm Stokes, Head of Operational Risk, BT Security on 15 March 2018 in Sponsored Article
Sponsored Article

BT's Malcolm Stokes explains how organisations can attribute accurate figures to cyber risks in order to make a viable business case.

In my two previous blogs, I explored the nature of managing and measuring cyber risk and the ways a company can justify spending on cyber-risk improvement. Through this exploration, I made it clear that organisations need to quantify their cyber risks if they want any hope of making a business case. So, in this blog, let’s take a look at how to make this quantification a reality.  

A simplistic approach

All too often, cyber risks are quantified using a single monetary value and percentage likelihood of occurrence. For example, a company might say that a cyber attack would cost them £40M and that there’s a 12% chance of it happening.

This simplistic approach allows several different risks to be plotted on an ‘Impact vs. Likelihood’ grid to help prioritise mitigation. But it does little to convince an investment board to approve expenditure on cyber defences. It also fails to impress insurance actuaries; they need to know what the percentage likelihood value really means. In the example given above, the 12% figure is likely to be a rolling annual probability, although it might refer to a longer timeframe if the exposure is time-bound, i.e. a project or campaign risk with a known endpoint.

What does it actually mean?

Having established the timeframe, we need to examine its relationship to the impact value. It’s clear that the 12% cannot mean the likelihood of losing exactly £40M — that would be an amazing coincidence. So which of the following might be a more precise meaning?

1. A 12% probability of losing any amount of money due to one or more cyber incidents — i.e. there is no mathematical relationship between the £40M and the 12%.

2. A 12% probability of losing up to £40M — i.e. there’s a 12% chance of losing between £0 and £40M in the next twelve months.

3. A 12% probability of losing about £40M. Perhaps plus or minus £5M, or between £30M and £50M. The range needs to be specified.

4. A 12% probability of losing more than £40M — i.e. there’s a 12% chance of aggregate losses due to cyber incidents exceeding £40M in the next twelve months. This is what actuaries call the probability of exceedance or ‘EP’ value.

Option four is rarely used outside the world of insurers, and yet it’s easier to estimate, it produces more consistent and realistic results and can be used mathematically to produce an overall cost of risk. If the EP values are estimated for several different impact boundaries, then an EP curve can be constructed and the area under the curve is the ‘pure premium’ or total cost of risk. Keep in mind that a business case that aims to reduce this annual cost of cyber risk is far more likely to convince your CFO.

Making a business case

The reduction in the area under an EP curve before and after improvement represents the value of risk-benefit achieved. For a valid comparison with capital expenditure, the monetary values need to represent bottom-line profits lost, or ‘EBITDA’ in accounting terms. Loss of revenue doesn’t count. These values should also take into account the cost of restoring reputation and damage to forecast growth, and any fines, penalties or compensation paid, along with the financial effect of any sanctions imposed or negotiated changes in trading terms.

A business case for investing in risk improvement also needs to estimate the time taken to realise the full risk improvement benefits; because the longer it takes, the longer the organisation is operating at an unacceptable risk.

To learn more, download our report exploring the five steps you have to navigate to protect your organisation from attack.

Share this page


Related Articles

Top official cites tech transformation as central to civil-service job-cut plans
4 July 2022

Simon Case tells MPs that adopting new technology is one of three key strands supporting efforts to reduce civil service headcount

Civil service cuts: DfT brings in £100k consultancy to help identify ‘options for digitisation’
30 June 2022

Two-week ‘headcount efficiency review’ engagement aims to find possible cutbacks that could be achieved through use of technology

Railways: Digital signalling to be introduced from Grantham to London in £1bn rollout
30 June 2022

Government unveils plan to ‘replace Victorian infrastructure’ across routes in counties to the immediate north of the capital

GDS offers £100k for strategy chief
29 June 2022

Cabinet Office tech agency seeks leader to spearhead implementation of three-year plan