As cyber threats continue to increase in both complexity and scope, businesses around the world acknowledge that cybersecurity is now one of their top business threats. As a result, the purchase of cybersecurity services and tools is at an all time high. Despite record cybersecurity expenditures, given the continually evolving cyber threat landscape, one of the key challenges facing corporations today is determining how cyber risk fits into comprehensive enterprise risk management. After a company performs a risk assessment and determines it is in fact at risk of cyber incidents, how do risk managers determine the business impact of such incidents? How do risk managers prioritize activities to address the cyber threat versus the threat of other risks such as a hurricane, pandemic or a bombing attack? How can you compare risk if you are not able to measure it?
With rapid technological innovation, the increase of devices and services provided on line or connected through the Internet and the inherent interdependencies of the Internet itself, cyber threats are unlike more traditional physical risks in important ways — including the speed at which they evolve and propagate as well as the almost unlimited attack space enabling multiple methods of attack. Adversaries also employ a “layered insecurity approach” based on multiple tiered objectives. For example, they may employ a phishing attack to gain access to a system or network as a first objective, extract files and data as a second objective and then use the information to deny services or disrupt industrial control systems. Many entities only realize months or years after the initial intrusion that they have been infected
So, when a company states publicly that it is has suffered 15 cyber attacks in the last week, what does that mean in terms of consequences? What does a cyber incident equate to in terms of consequences to the company’s finances, employees, reputation and brand, customers, market availability and other institutional concerns?
Modeling Cyber Risk
Traditionally, as a proxy for comprehensive entity risk quantification, many risk managers use insurance risk models to identify and quantify potential consequences. However, the cyber risk insurance market, although maturing, remains in its infancy, and there is a growing need for standardized models to enable companies to plan, train and resource against cyber risk.
For cyber resilience assurance to be effective, a concerted effort among ecosystem participants is required to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk.
The World Economic Forum’s (WEF) “Partnering for Cyber Resilience” initiative, of which I am a member, has turned to this challenge and members have framed the cyber value-at-risk (VAR) concept as a proposed methodology for cyber consequence quantification. The WEF released the initiative’s latest report, “Towards the Quantification of Cyber Threats,” at the annual meeting in Davos last January.
As a first step, the report encourages organizations to clearly identify and standardize information inputs that will in turn enable risk managers to implement a tailored and repeatable methodology so risk can be identified and assessed across the enterprise. Initiative members agreed that at the heart of risk identification and assessment, organizations must be able to quantify cyber risk in order to make sound investment and risk acceptance, mitigation, transfer and management decisions.
A VAR model seeks to determine the aggregate level of risk faced by an entity resulting from cyber threats over a given duration of time and at a particular level of exposure. The report suggests that in considering a cyber value-at-risk methodology, entities should look to the value of their assets, the profile of would-be attackers and their existing cybersecurity posture as key components. The result of such a methodology would enable an organization to more fully integrate the concept of cyber risk into its comprehensive enterprise risk management framework and to prioritize resources accordingly.
The key to true cyber resilience is the resilience of the ecosystem. As the number of organizations employing such models and methodologies increases, it is my hope that we will begin to better understand the comparative risk of various sectors, interdependencies and potential cascading effects and will be able as a community to more effectively manage cybersecurity risks.
By Kirstjen Nielsen, SDI Cyber Risk Practice. Kirstjen is the Chair of the World Economic Forum’s Global Agenda Council on Risk and Resilience and is a member of the WEF’s Partnering for Cyber Resilience Initiative.
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
May 5, 2015