How to quantify cyber risk
BT's Malcolm Stokes explains how organisations can attribute accurate figures to cyber risks in order to make a viable business case.
In my two previous blogs, I explored the nature of managing and measuring cyber risk and the ways a company can justify spending on cyber-risk improvement. Through this exploration, I made it clear that organisations need to quantify their cyber risks if they want any hope of making a business case. So, in this blog, let’s take a look at how to make this quantification a reality.
A simplistic approach
All too often, cyber risks are quantified using a single monetary value and percentage likelihood of occurrence. For example, a company might say that a cyber attack would cost them £40M and that there’s a 12% chance of it happening.
This simplistic approach allows several different risks to be plotted on an ‘Impact vs. Likelihood’ grid to help prioritise mitigation. But it does little to convince an investment board to approve expenditure on cyber defences. It also fails to impress insurance actuaries; they need to know what the percentage likelihood value really means. In the example given above, the 12% figure is likely to be a rolling annual probability, although it might refer to a longer timeframe if the exposure is time-bound, i.e. a project or campaign risk with a known endpoint.
What does it actually mean?
Having established the timeframe, we need to examine its relationship to the impact value. It’s clear that the 12% cannot mean the likelihood of losing exactly £40M — that would be an amazing coincidence. So which of the following might be a more precise meaning?
1. A 12% probability of losing any amount of money due to one or more cyber incidents — i.e. there is no mathematical relationship between the £40M and the 12%.
2. A 12% probability of losing up to £40M — i.e. there’s a 12% chance of losing between £0 and £40M in the next twelve months.
3. A 12% probability of losing about £40M. Perhaps plus or minus £5M, or between £30M and £50M. The range needs to be specified.
4. A 12% probability of losing more than £40M — i.e. there’s a 12% chance of aggregate losses due to cyber incidents exceeding £40M in the next twelve months. This is what actuaries call the probability of exceedance or ‘EP’ value.
Option four is rarely used outside the world of insurers, and yet it’s easier to estimate, it produces more consistent and realistic results and can be used mathematically to produce an overall cost of risk. If the EP values are estimated for several different impact boundaries, then an EP curve can be constructed and the area under the curve is the ‘pure premium’ or total cost of risk. Keep in mind that a business case that aims to reduce this annual cost of cyber risk is far more likely to convince your CFO.
Making a business case
The reduction in the area under an EP curve before and after improvement represents the value of risk-benefit achieved. For a valid comparison with capital expenditure, the monetary values need to represent bottom-line profits lost, or ‘EBITDA’ in accounting terms. Loss of revenue doesn’t count. These values should also take into account the cost of restoring reputation and damage to forecast growth, and any fines, penalties or compensation paid, along with the financial effect of any sanctions imposed or negotiated changes in trading terms.
A business case for investing in risk improvement also needs to estimate the time taken to realise the full risk improvement benefits; because the longer it takes, the longer the organisation is operating at an unacceptable risk.
To learn more, download our report exploring the five steps you have to navigate to protect your organisation from attack.
Shadow Cabinet Office minister to tell PublicTechnology event that a regionally led approach focused on delivering skills for the public good could stimulate deindustrialised communities...
At a recent roundtable event, PublicTechnology and Gamma brought together a range of senior digital professionals to discuss the looming spectre of the UK’s exit from the EU, and what it...
Dame Sue Owen claims the department’s growth into technology and data policy areas has been a success
DWP minister Justin Tomlinson claims department wants to ‘avoid transferring errors from legacy benefits’
BT defines how SD-WAN can help to keep organisations in touch with their applications - reliably, and securely
New BT SD-WAN and cyber security services will help the leading chemicals manufacturer and distributor drive its digital transformation
CEOs are adopting a digital first approach to match customer needs. BT asks how they're measuring success
BT shows how to plan and manage your network to unlock the rewards of the cloud