What’s involved in a cyber risk quantification?
Cyber risk quantification identifies assets, understands threat communities, defines the loss event, and determines the financial impact of a data breach.
A cyber risk quantification, as with any type of assessment, must start with proper scoping.
Specifically to cyber risk quantification, it is essential to clearly establish who, what and how.
- Who – Threat Source (examples = hackers, privileged insiders, cyber criminals, or nation states)
- What – Assets that will be targeted by the threat source(s)
- How – Loss Event (examples = data breach, denial of service, or data manipulation)
It should be pointed out that risk is defined as the probable frequency and probable magnitude of future loss. If there is no asset, or no loss can occur, then it cannot be classified as a risk. Therefore, it is with that overlying principle in mind, that a discussion first takes place to identify the assets, understand the threat communities, and to define the loss event.
In those cases where an organization does not readily know those specifics, a discussion can be started by simply asking, “How do you plan on using the results?”
In those cases where even that question cannot define the scope, an assessment can be started to address:
- Executive Cyber Concerns
- Understanding Risk to Critical Assets
- Cost/Benefit to Upcoming Cyber Projects
Once the scope is properly defined and agreed upon, the evaluation starts to take place. Our partner, RiskLens, has a risk quantification tool that helps in this effort by providing a short list of questions (typically around 30 per asset type). These questions lead the evaluator and client staff through identifying the various data points needed for a risk quantification. These data points can be characterized into two generalized groupings, Asset Resiliency and Threat Event Frequency.
It must be noted that neither the tool nor the evaluator are looking for precise numbers. Risk quantification works best with accurate ranges. Simply stated, saying for certainty that 10 external data exfiltration attempts occur every year, can be difficult. But, saying between 7 and 15 attempts occur per year is more comfortable and probably more accurate.
The last data gathering step is to collect any (if possible) loss table related information. These typically include data sources such as:
- Prior fines and/or judgements
- Credit monitoring agreements
- Customer value
- Typical customer churn
If these data sources are not available, RiskLens has a loss table pre-populated with industry-provided values.
Finally, after all of the data gathering activities are complete, an initial risk analysis will be generated. Obvious outliers will be identified (if any) and the data inputs can be adjusted. This is typically done between the evaluator and the client point of contact. If all agree upon final analysis, a final risk quantification report will be generated and delivered.
About the Author: Ed Peck is Evolver’s Cybersecurity Consultant and is certified by RiskLens to perform cyber risk quantification for businesses and organizations of all sizes. Evolver offers cybersecurity services to federal, commercial and legal clients. Evolver has also developed the Cyber Risk Ecosystem, of which cyber risk quantification is the first step.