How to quantify cyber risk

Written by Malcolm Stokes, Head of Operational Risk, BT Security on 15 March 2018 in Sponsored Article
Sponsored Article

BT's Malcolm Stokes explains how organisations can attribute accurate figures to cyber risks in order to make a viable business case.

In my two previous blogs, I explored the nature of managing and measuring cyber risk and the ways a company can justify spending on cyber-risk improvement. Through this exploration, I made it clear that organisations need to quantify their cyber risks if they want any hope of making a business case. So, in this blog, let’s take a look at how to make this quantification a reality.  

A simplistic approach

All too often, cyber risks are quantified using a single monetary value and percentage likelihood of occurrence. For example, a company might say that a cyber attack would cost them £40M and that there’s a 12% chance of it happening.

This simplistic approach allows several different risks to be plotted on an ‘Impact vs. Likelihood’ grid to help prioritise mitigation. But it does little to convince an investment board to approve expenditure on cyber defences. It also fails to impress insurance actuaries; they need to know what the percentage likelihood value really means. In the example given above, the 12% figure is likely to be a rolling annual probability, although it might refer to a longer timeframe if the exposure is time-bound, i.e. a project or campaign risk with a known endpoint.

What does it actually mean?

Having established the timeframe, we need to examine its relationship to the impact value. It’s clear that the 12% cannot mean the likelihood of losing exactly £40M — that would be an amazing coincidence. So which of the following might be a more precise meaning?

1. A 12% probability of losing any amount of money due to one or more cyber incidents — i.e. there is no mathematical relationship between the £40M and the 12%.

2. A 12% probability of losing up to £40M — i.e. there’s a 12% chance of losing between £0 and £40M in the next twelve months.

3. A 12% probability of losing about £40M. Perhaps plus or minus £5M, or between £30M and £50M. The range needs to be specified.

4. A 12% probability of losing more than £40M — i.e. there’s a 12% chance of aggregate losses due to cyber incidents exceeding £40M in the next twelve months. This is what actuaries call the probability of exceedance or ‘EP’ value.

Option four is rarely used outside the world of insurers, and yet it’s easier to estimate, it produces more consistent and realistic results and can be used mathematically to produce an overall cost of risk. If the EP values are estimated for several different impact boundaries, then an EP curve can be constructed and the area under the curve is the ‘pure premium’ or total cost of risk. Keep in mind that a business case that aims to reduce this annual cost of cyber risk is far more likely to convince your CFO.

Making a business case

The reduction in the area under an EP curve before and after improvement represents the value of risk-benefit achieved. For a valid comparison with capital expenditure, the monetary values need to represent bottom-line profits lost, or ‘EBITDA’ in accounting terms. Loss of revenue doesn’t count. These values should also take into account the cost of restoring reputation and damage to forecast growth, and any fines, penalties or compensation paid, along with the financial effect of any sanctions imposed or negotiated changes in trading terms.

A business case for investing in risk improvement also needs to estimate the time taken to realise the full risk improvement benefits; because the longer it takes, the longer the organisation is operating at an unacceptable risk.

To learn more, download our report exploring the five steps you have to navigate to protect your organisation from attack.

Share this page


Related Articles

Whitehall suffers from ‘a culture of denial when a project is going badly’, says PAC chair Hillier
25 September 2018

The head of the Public Accounts Committee has lamented a lack of transparency and information sharing across the civil service

Q&A: National Crime Agency CIO on progress of tech transformation
24 September 2018

Following the recent annual update from the Infrastructure and Projects Authority, the law-enforcement organisation’s IT leader provides on update on the rollout of cloud and other technologies...

Wolverhampton signs up with eBay to boost local economy
24 September 2018

West Midlands city signs partnership with auction site in bid to help local SMEs grow their business by selling online

Airwave to get three-year extension as government resets Emergency Services Network project
21 September 2018

New services to be rolled out incrementally as Motorola Solutions agrees to continue support outgoing platform

Related Sponsored Articles

Make more of your digital transformation with Intelligent Connectivity
25 September 2018

When it comes to digital transformation, you want your organisation to lead from the front

Government begins to "rightsize"​ its estate
17 September 2018

BT's Simon Godfrey on how government is fundamentally rethinking its strategy for both people and places

Intelligent Connectivity: Coping With an Explosion in Traffic
10 September 2018

At BT, we realise that digital technology is changing the way we all do business. Make smart decisions with intelligent...

Surfing the Internet of Things
4 September 2018

BT argues that the Internet of Things (IoT), where homes, cars, people, even entire cities are connected to the internet, will let you do things you once dismissed as science fiction