Governance, Risk and Compliance

Assigning a Monetary Value to Cyber Risk

Risk reduction

Cyber Risk Quantification is the expression of (an organization’s) cyber risk in monetary terms based on the probability and magnitude of potential cyber incidents and breaches. It helps cybersecurity and business leaders (a) prioritize different kinds of risk and (b) make better-informed decisions about investing resources to mitigate risk.

With monetary values attached to potential cyber incidents, organizations can reduce uncertainty about risk impact and direct resources to areas where they will have the most benefit.

Risk monetization data also bridges the gap between cybersecurity and business leaders by presenting risk in nontechnical terms that senior management understands and cares about. By viewing risk in monetary terms, business leaders can see how cyber incidents can impact the bottom line – i.e., revenue losses due to downtime, infrastructure and operational disruption, data loss, ransomware, and other kinds of threats. This helps organizations align their security initiatives with overall business goals and facilitate communication between security-focused and business-focused executives.

Addressing Concerns about Cyber Risk Quantification

The most commonly cited concerns about cyber risk quantification are:

  1. That it relies on insufficient or unreliable data, and
  2. That it isn’t possible to measure accurately because cybercriminals constantly (and sometimes arbitrarily) switch targets, tactics and techniques.

While concerns about uncertainty are valid and it’s impossible to be 100% accurate when measuring risk of any kind, quantification data derived through a sound analytic model can still dramatically improve organizations’ ability to understand the complexities of risk and make better decisions about prioritization and spending.

Moreover, the quality and quantity of data that organizations can get about external cyber threats and internal assets (both infrastructure and data), and their ability to correlate and add context to this is improving every day. Data on cyber risk has grown enormously over the last few years, and continues to improve in quality. Businesses that can successfully fit cyber risk stats into organizational context can make a useful assessment of what they stand to lose if an incident occurs, how likely that scenario is, and what to do to mitigate the risk.

Why Businesses Need to See Cyber Threats in Monetary Terms

The range of results that can be achieved by quantifying cyber risk in monetary terms includes:

  • Increasing credibility with senior leadership
  • Aligning cyber risk with other business risk
  • Understanding cyber insurance needs
  • Saving money and resources
  • Improving cybersecurity project prioritization
  • Adding value to a strategic decision

A PwC study found that only 45% of organizations are confident that their cyber spend is allocated to the most significant risks, and that only 42% think their cyber spend provides the best possible return.

Security budgets are not unlimited, and security teams cannot protect everything all the time. In order to allocate resources to security initiatives and infrastructure components that will have the maximum impact, organizations need a reliable mechanism to identify business-critical data and assets and prioritize risk.

Without context-specific data on what potential cyber incidents could cost them, organizations are left with no option but to make investments based on guesswork, misplaced fear, or whatever is “trending” in security. On the other hand, if they do quantify risk in monetary terms (provided this is based on a good analytic model), companies can see a very real, positive impact on ROI. Security leaders can justify risk prioritization and spending based on data and communicate more effectively with senior leadership and stakeholders.

There has also been a greater demand for cyber risk quantification data from the business side in recent years. Security is no longer seen as a technology issue, but as a business concern. This is driven by increased adoption of digital transformation initiatives across industry sectors, the recognition that breaches are inevitable in the current threat landscape, and a growing demand for cybersecurity services. With increasing awareness about cyber threats, many high-profile cases making the news, and cybersecurity spend becoming a critical part of overall company budgets, more security leaders are getting a seat at the table.

What (Monetary) Cyber Risk Quantification Data LookS Like

Different vendor platforms and quantification services use different analytic models and algorithms to measure risk and assign a monetary value to threats. Additionally, risk matrices vary for individual organizations based on industry context, compliance and legal requirements, business goals, and a whole range of other factors. In general, the accuracy and reliability of these numbers depend on the risk data available to organizations, how effectively they can connect cyber and enterprise risk, and the level of granularity they can achieve when measuring risk.

To begin with, an organization must have a solid understanding of:

  • Its IT assets (both data and infrastructure) at risk;
  • The range of cyber threats and incidents that these assets may be vulnerable to, and
  • The impact specific incidents could have (downtime, data loss, data modification, etc..)

Data Discovery and Categorizing data by type: Cyber risk quantification can work only if an organization has visibility into its data – what data it has, where it is located, who has access to it, and how it is secured.

Sensitive Data Value on the Dark Web: Data can be categorized by type, such as passwords, social security numbers, bank account details, credit card numbers and drivers’ licenses, and a value can be assigned to each record based on what it’s worth on the dark web or hacker marketplaces. This can be used to get a monetary value for all the data that the organization has stored in its environment.

Ransomware and Breach Recovery Costs: Because ransomware continues to be a critical threat to organizations across geographies and industries, businesses of all sizes can benefit from data on ransomware recovery costs. This may be based on how many endpoints an organization has, how many employees use those systems, estimated downtime due to a ransomware incident or a data breach, and monetary value of data. Data breach recovery costs would include incident investigation fee, customer notification costs, fines and penalties (for noncompliance), legal fees, and more.

Residual Risk and Risk Reduction Costs: One of the most important Risk Quantification metrics is residual risk cost. Cyber risk, like all other kinds of risk, cannot be eliminated completely, but organizations can bring down their risk to acceptable levels based on how much risk they can absorb without impacting business significantly. Residual risk is the risk that remains after most high-severity or high-probability risks have been reduced to a tolerable level. By using a Risk Quantification or Risk Monetization tool that allows them to see what security strengthening actions they can perform to reduce residual risk, organizations can quickly implement controls that have the greatest positive impact. These numbers also help CISOs and other security leaders to demonstrate to the board how their security program brings down inherent risk.

Some of the risk reduction activities and assessments that can bring down residual risk and its costs significantly are:

  • Regular vulnerability scanning and mitigation
  • Secure configuration scanning
  • Sensitive data discovery
  • Ransomware and breach protection
  • Phishing attack simulations
  • External threat feed subscriptions, and
  • Cyber insurance.

How CYRISMA Can Help

CYRISMA’s consolidated cyber risk management platform includes a risk monetization tool that allows organizations to view their risk impact in monetary terms. The monetization dashboard includes their Sensitive Data’s Dark Web Value, Ransomware and Breach Recovery Costs, and Residual Risk Costs, with a questionnaire to help reduce residual risk. All monetization metrics are based on individual organizations’ data, assets, existing security controls, and compliance requirements. The platform also includes functionality for sensitive data discovery, vulnerability management, secure baseline, risk mitigation, and dark web monitoring.

Because it’s affordable, easy-to-use, and includes multiple products in one, CYRISMA is ideal for MSSPs protecting small and medium businesses. It’s usually SMBs that are unable to realize the benefit of risk monetization because of budget and resource constraints. It’s also SMBs that have the greatest need for this data to really zero in on the most critical threats and make better-informed security investment decisions for increased ROI. With CYRISMA, they can do all this and more, without breaking the bank.

To know more about CYRISMA’s Cyber Risk Monetization feature, call us at +1 585-326-5829, or request a demo here.

Blog courtesy of CYRISMA. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.