Optimising cyber risk management: the investment required to quantify your risks

Cyber ResilienceArticleOctober 6, 2023

Quantifying cyber risks is an attractive solution for tidier, data-driven risk management, but the benefits will only materialise with the right resource investment.

Sheá Panayi

The problem: a better way to manage cyber risks

In our dynamic digital landscape, modern organisations face a vast range of complex cyber risks. Risk Managers and cybersecurity professionals face an uphill battle, struggling to make sense of these ever-evolving risks.

As a result, the cyber security and risk industry has been calling for better ways to assess and manage their cyber risks. But it is not just the risk complexity that is triggering the call. There are many reasons:

Digital landscape: Cyber-attacks are a daily news occurrence and new threats are emerging every day. Your risk view needs to be updated and reviewed regularly.
Board engagement: Board members and senior leaders recognise cyber risks as enterprise level risks and demand clearer metrics to manage them.
Supply chain risk: Many believe the ‘weak link’ in cyber security is the risk of cyber-attacks through an organisations’ supply chain. To reduce this risk, supply chain cyber risk assessments need to be systematic and thorough.
Industry regulations: The SEC (US Security and Exchange Commission) has enhanced their requirements for disclosing and managing cybersecurity risks and set a higher standard for cyber risk management. For many organisations this exposes a gap in their risk management especially as they must report on ‘material’ risks in an accurate and timely manner.

So what is the solution to calculate and report ‘material risk’, communicate risks to the board and measure the risks posed to us through our supply chain? The answer is Cyber Risk Quantification (CRQ), which is quickly becoming a Cyber Risk Manager’s best friend.

The solution: Cyber Risk Quantification

CRQ is a useful technique to translate traditional risk scenarios that could cause losses into tangible financial information. CRQ is different from traditional risk scoring methods. Rather than subjective assessments and arbitrary scales, such as heatmaps, CRQ employs a data driven approach. This does not just refer to the financial loss outputs, this refers to the effort and data input needed to achieve more accurate results. Where traditional risk assessments may label risk likelihood as ‘high’, ‘medium’, or ‘low’, modern CRQ solutions map known vulnerabilities to attack methods and threat actors focussed on your industry. Using this and data from similar companies with similar vulnerabilities, CRQ solutions can calculate the ‘likelihood’ (or loss event frequency in CRQ) in a probabilistic way with more accuracy.

There are many modern solutions available to help quantify cyber risks. Most are built using the underlying The Factor Analysis of Information Risk (FAIR) model and take your inputs alongside proprietary or open source data, such as Mitre attack methods, to run tens of thousands of simulations of cyber-attacks on your organisation. The output of the statistical analysis aggregates the results from all simulations and presents you with a report detailing the minimum, maximum and most likely losses alongside their probability of occurrence.

Typically, these solutions require, but are not limited to, the following information from you:

The volume of data in your critical information assets,
The revenue generated by critical systems,
The exposure of critical information assets, and
The maturity of security controls.

The modern CRQ solution; inputs, modelling and benefits

Cyber risk quantification

This information is invaluable to express all your cyber risks in financial loss terms and prioritise security efforts accordingly. Without a thorough approach you could end up with some misleading results.

The challenge: CRQ needs to be done properly or not at all

‘If it seems too good to be true, it probably is’; as with everything in life, rewards require effort. While CRQ holds immense promise as a cleaner way to assess, prioritise and communicate cyber risks, it requires an investment, starting with the right data and expert guidance.

The response: invest in the right places

To run a successful CRQ project you need four ingredients:

Time to get the process right,
Reliable data from your organisation,
The right tools for your objectives, and
People with experience of CRQ, and the hard and soft skills required.

Time

The mathematical modelling is the easy bit, as the CRQ solution or tool chosen will run that for you. It is the scoping, stakeholder engagement, data collection and interpretation of results that take most time and effort.

Take time to collect comprehensive data, there are many parts of the business to be consulted and each department may have different security controls or vulnerabilities. Spend time getting the data as reliable as possible, such as understanding where all your data sits and how much revenue would be lost if your critical systems were down for a week. Rushed CRQ projects rarely deliver good outcomes.

Data quality

The maxim ‘garbage in, garbage out’ holds true for CRQ. The quality of the results depends on the accuracy of inputs, particularly for the asset exposure and maturity of controls. Under or over-confident assessments will skew the results and could lead to the misallocation of resources and potentially diverting resources away from more pressing threats.

The solution is to involve experts who have run cyber risk assessments and CRQ modelling across many organisations to act as ‘critical friends’.

Tools

Easy to use solutions are available where results can be obtained from simple surveys that require minimal data input and do not explain how it works. These CRQ ‘black box’ solutions can seem superficially attractive however they lack flexibility and can’t be tailored to for your organisation’s unique risks, environment, and vulnerabilities. The inner workings of the solution are hidden so the results can’t be trusted by you or stakeholders.

Experts

Experts are the bedrock of an effective CRQ project. Experts use their knowledge, industry experience and exposure to many organisations to translate risk variables into quantifiable inputs. They ensure the data inputted into CRQ tools are correct and they also help interpret and challenge the results. Expert support should verify the inputs, give added confidence in your results and help interpret outputs to develop effective risk strategies.

The potential of CRQ unveiled

CRQ is not a destination, it is an ongoing process to support cyber risk management in a period defined by continuous digital transformation. It provides actionable intelligence based on data-driven accuracy.

The true power of CRQ is unveiled by investing in the right time and resources. Particularly when it is run by experts who can understand your organisation, its vulnerabilities, and the environment. These professionals, often rooted in the FAIR framework, bring objectivity that is missing from a black box tool. They verify and validate the data, and they help navigate any barriers to a successful project on the way.

Time, quality data, the right tools, and expertise are the foundations of a robust analysis of your financial exposure to cyber risks. With strong foundations you can be confident in the decisions you make about your risks and in your communications.

You may also be interested in

You may also like to watch our discussion with Julien Chamonal from Citalid Ltd on CRQ.

We can help

If you would like support for any cyber risk management services, please contact the writer of this article or email us. Zurich Resilience Solutions have experts in Cyber Risk and Resilience who can assist you with bespoke services. For more information.

Sheá Panayi
Cyber Risk Consultant
shea.panayi@uk.zurich.com