How to Measure Cyber ​​Risk: The Basics of Cyber ​​Risk Quantification

Today’s organizations rely more than ever on statistics. But when it comes to statistics, few are as important as cyber risk. The ability to measure cyber risk is critical to making informed security investments and implementing the controls necessary to minimize the risk of a data breach.

Not understanding the level of risk in the environment leads to dangerous vulnerabilities that can cause millions of damage.

Despite this, most organizations still fall short in understanding their risk exposure. Research shows that only 50% of IT leaders and 38% of business decision makers believe the C-suite fully understands cyber risk.

This isn’t for lack of trying either, with Gartner reporting that security and risk management leaders are increasingly investing in quantification of cyber risks for decision support, although only 36% report concrete results.

To some extent, the challenge of quantifying cyber risk is subjective, with organizations identifying a different level of risk depending on how they define cyber risk, as well as the methodologies and data signals they use to measure it.

But what exactly is cyber risk?

In simple terms, cyber risk is the level of risk an organization faces in the event of a cyber attack.

Under the fair analysis of information risk (HONESTLY) quantitative risk model, risk management is defined as “the combination of personnel, policies, processes, and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure.”

Organizations need to be able to measure this risk not only to ensure the overall security of their environments, but also to make sure they don’t overspend on ineffective controls.

James Turgal, VP of Cyber ​​Risk, Strategy and Governance at MXDR Provider Optiverstresses that “Cyber ​​risk quantification should be an essential part of all corporate actions to understand and measure the risk to that enterprise in the event of a cyber attack.”

Turgal notes that companies can use cyber assessments defined by entities such as NIST to define key technology assets, determine what impact a data breach would have on the business, understand the likelihood of exploitation and ensure an acceptable level of cyber risk. .

Frameworks for measuring cyber risks

When it comes to measuring cyber risk, there are many frameworks and methodologies that companies can choose from, including the Fair Analysis of Information Risk (HONESTLY), NIST Cyber ​​Security Framework (CSF) and the Risk Management Framework (RMF†

Of the frameworks available, many consider FAIR to be the most comprehensive for providing a set of standards and best practices to help measure and mitigate information risk in a business environment.

Unlike other frameworks, such as those offered by NIST, ISO, OCTAVE and ISACA, FAIR offers organizations more guidance in the mitigation process, rather than letting them define and flesh out their own approaches. security gaps†

Other frameworks such as CSF provide a more limited scope for identifying a company’s risk tolerance, allowing security leaders to define roles, responsibilities, and processes to minimize risk throughout the environment.

This includes, for example, implementing controls to manage identities and credentials, remote access, protect data in transit, reduce the likelihood of data leaks, and detect malicious code.

Likewise, the RMF provides a simple seven-step framework for securing modern and legacy IT systems and technologies.

Core steps of the RMF include preparing critical activities to equip the organization to manage security and privacy risks, categorizing systems and information stored, processed, or transmitted (based on impact analysis), implementing NIST SP 800-53 Controls and Documenting Long Term Controls .

What about organizations struggling to quantify cyber risks?

with so much risk management frameworks to choose from, many organizations are looking for risk calculators to help identify their exposure to threat actors.

Recently, supplier of risk quantification Safe Securitylaunched a free risk calculator called the Safe CRQ Calendar, which uses its proprietary predictive research model to analyze an organization’s industry and determine the likelihood of a breach over the next 12 months.

Safe Security’s Safe CRQ Calculator speeds up the risk quantification process by quickly highlighting the organization’s exposure to cyberattacks, the number of ransomware attacks in the industry, and the potential financial impact of a breach.

As Senior Vice President of AI and Cyber ​​Insurance at Safe Security, explains Pankaj Goyal, Safe CRQ Calendar provides a solution that companies can use to convert external and internal cyber signals into a mathematical model, which can translate technical risk calculation into a concrete financial value of the business risk.

For Goyal, success lies “in the depth and quality of signals. Signals must be real-time and comprehensive across the attack surface. We collect signals about the attack surface (people, processes, technology) through APIs in an automated way,” said Goyal.

In many organizations, the calculations offered by a pre-built risk calculator can also be more accurate, especially if they are based on a wider range of data signals.

For example, the CRQ calculator combines publicly available data from sources including SEC filings, regulatory reports, insurance reports and budget reports on more than 1,500 incidents over the past 10 years to develop its risk model. This provides a wider range of data signals than organizations using a less optimized risk model.

The evolving role of the CISO in managing cyber risk

For CISOs, an increasing part of managing risk in the enterprise is the growing responsibility to ensure the business success of the organization as a whole.

In reality, Gartner predicts that at least 50% of C-level executives will have performance requirements built into their employment contracts related to cybersecurity risks by 2026. Obviously, this shift will prompt CISOs to rethink how they manage cyber risk.

Sam Olyaei, research director at Gartner, explains: “The role of the CISO must evolve from the ‘de facto’ person responsible for handling cyber risks to responsibility for ensuring that business leaders have the capabilities and knowledge needed to informed, high-quality information risk decisions.”

In this sense, the CISO’s role in managing cyber risk will not be a “scary” focus on ticking off cyber risks, but will play an active role in equipping key stakeholders and decision makers with the information they need to manage the risk. of cybersecurity risks in addition to achieving key business objectives.