How do you measure cyber risk?

Cybersecurity is a threat to businesses globally, and is being increasingly viewed as an “enterprise risk”– it has financial implications and needs to be managed like other major business risk. Board members and senior management are looking for risk-based metrics to quantify, mitigate and then manage residual threat. The approaches and degree of maturity with regards to cyber risk measurement vary across organizations – from an audit-based approach to quantifying cyber risk in benchmark scores or in dollar terms.

While qualitative measures are used to communicate the level of severity of a cyber threat, they are unable to provide a sense of the quantum of losses that could occur over a period of time. Without this understanding of the cost of the threat, it is difficult for managers to decide on an appropriate risk management strategy. The ability to quantify and benchmark cyber risks provides significant advantage to an organization when it comes to adopting a cybersecurity strategy and prioritizing associated investments.

Benchmarking is an effective tool that allows an organization to visualize its security posture relative to an ideal or peer group, and to view existing gaps in its cybersecurity posture. One approach involves a diagnostic toolkit that assesses a company along three key dimensions and provides a score that can be compared against those of peer groups. The key dimensions are:

• Business Assets – Understanding of “crown-jewel” business processes and data, common view of their criticality across the organization and awareness of their presence on the underlying infrastructure
• Threat Perception – Effectiveness of the organization in collecting, analysing and disseminating threat information
• Defence – Evaluation of the various defences across the processes, defence tools, people and organizational skills; the defence assessment is along three themes – proactive defence, attack detection and aspects of response management

Wipro’s approach for quantification of cyber risk is based on the concept of Value-at-Risk (VaR), which measures the potential loss in value of a risky asset or portfolio over a defined period for a given confidence interval. This VaR sums up the risk in dollar terms, which helps to communicate the likely impact of cyber risk in a language that is familiar to the senior management and helps them make their risk management decisions.

A common aspect across themes includes reckoning the direct cost impacts (customer notification, regulatory penalties, legal expenses) along with the indirect costs (loss of customers, reputational impacts). The model also looks at various types of threat and their frequency, as well as layers of defence that need to be breached and potential costs.

Irrespective of the framework used, the outcome is only as good as the assumptions on which it is built – it is critical that such assumptions follow from business realities and take into account the sophistication, variety and dynamic nature of cyber attacks. It is also important to view the scores and quantification as directional guidance, rather than try to achieve more precision than is practical.

It is imperative to bring business-specific nuances into the approaches mentioned. Hence, participation from business experts is critical to build a view of the importance of various business assets and potential threats. This would enable delivery of results that are meaningful and acceptable to senior management.

As part of the World Economic Forum’s Partnership for Cyber Resilience initiative, Wipro is hosting a meeting on benchmarking and quantification of cyber risks for members of the PCR in London on 13 November.

Read more blogs on cyber risks.

Authors: Ken Hall heads the Cyber Security Consulting Practice at Wipro. Guha Ramasubramanian heads Corporate Business Development at Wipro.