With today’s cyber risk landscape, it is hard to disagree that effective protection against cyber threats should be a top priority for every Firm. As cyber-attacks become more potent, cyber risk management techniques are also increasing in sophistication. One such area is Cyber Risk Quantification, where impacts from cyber risks are estimated and quantified into financial losses. While there are many ways to quantify risk, Enterprise Risk Managers and IT Security leaders face a key question: Is there a purpose for Cyber Risk Quantification? Read on to learn why Cyber Risk Quantification is an important step in managing cyber risks in a world where cyber risk is a top risk for Firms globally.
A World Without Quantification
Let’s imagine for a moment that you don’t quantify the impacts of cyber risk in financial terms.
In this state of the world, your cyber risk assessment is largely technical. The assessment typically looks at your technology assets and evaluates potential threats against your IT controls. The output from such assessments is some form of a directional score or rank for cyber risk.
Many technical cyber risk frameworks take this approach. These frameworks provide a good first step in understanding the technical impacts of cyber risk. They can provide important technical insights by forcing you to take a look at your vulnerabilities and consider options for mitigation of cyber risk.
In this ideal world, your entire Management Team is comprised of technical experts, you have no financial constraints and an unlimited budget. So you can not only sufficiently review all vulnerabilities with your Management Team but also address all of them. In this world, you can get complete protection from cyber risk at a point in time, and you have no need for or benefits from cyber risk quantification.
Reality Check
In reality though, the cyber threat landscape is constantly changing. Even with an unlimited budget, full protection is nearly impossible. You have constrained IT security budgets. This means you often face choices and tradeoffs among mitigation options.
In this real world, it is very unlikely that your Management Team is comprised entirely of technical experts. So when you need funding, you have to explain where and why additional mitigation spend is needed, to your Management Team. You may also have to provide insights into cyber threat protection and spend optimization to your Management Team and Board.
From IT War Rooms to Board Rooms
Cyber risk continues to stay top-of-mind for Executive Management Teams and Boards globally. So IT Security Leaders and Risk Managers additionally take on the role of educating and informing stakeholders on cyber risk. This requires you to provide meaningful insights and communication that informs Management decision-making.
This activity is separate from the actual management of cyber risk via IT Controls. It can take many forms, but usually involves simplifying and explaining technical concepts to non-technical audiences. Done episodically, this can get quite effort-intensive depending on your stakeholder group. And this effort may still not meaningfully inform decision-making and oversight.
As more business functions and stakeholders understand, influence and contribute to decisions about cyber risk management, keeping the communication limited to the technical aspects of cyber risk is restrictive. Your business leaders want to know the impacts of cyber risk to their specific business operations.
But if such conversations are too broad or too technical, you might sell the risks short and the related mitigation needed even shorter. Insufficient risk mitigation can lead to risk events and reduce credibility and confidence in cyber risk management.
Your stakeholder teams may fully intend to contribute to the best of their abilities. But in situations where they are not experts, they will contribute to the best of their understanding. In such an environment, purely technical discussions on risk inhibit understanding on critical cyber risks, tradeoffs and optimal mitigation.
The purpose of Cyber Risk Quantification
So the understanding and communication of the impacts of cyber risks has to evolve. And this communication does not have to be in a language different than one the rest of the business already uses – the language of Finance. This is where Cyber Risk Quantification plays a critical role.
Cyber Risk Quantification enables the translation of sources of cyber risk to their financial impacts. This translation makes it possible to treat cyber risks similar to other financial risks and meaningfully simplifies understanding and decision-making. Linking and quantifying cyber risks into financial terms enables communication of impacts to business operations in terms the business leaders understand.
Management Teams can then determine which of the potential cyber risk outcomes are unacceptable to the Firm in dollar terms. These insights also position business and IT security leaders to select the optimal combination of technical and non-technical mitigation options for risk mitigation. Visibility into financial impacts additionally puts mitigation costs in context, relative to the financial losses averted by the mitigation.
Technical assessments will always be important and technical controls will largely continue to be the means for cyber risk mitigation. But when cyber events occur, the entire Firm and its stakeholders feel their impacts. Such impacts can be financial, reputational and sometimes regulatory. So any prospective risk mitigation decisions must factor in all these impacts.
Cyber Risk Quantification serves the important purpose of ensuring such mitigation decisions are well-informed and in line with the risk-taking or risk-averse behavior of the Firm.
Beyond basic Cyber Risk Quantification
A good Cyber Risk Quantification platform can also provide additional benefits beyond basic quantification. With insights on technical risk factors and impacts under different scenarios, IT Risk leaders can improve the quality of time spent on actual risk management. With financial impact insights, Enterprise Risk Managers can understand catastrophic scenarios and propose mitigation projects. Empowered by these insights, Management Teams and Boards can bring their business expertise to bear and improve confidence in the cyber risk capabilities of the Firm.
Cyber Risk Quantification is not a completely new risk management technique, but the next milestone of a maturing cyber risk management capability.