Debunking the Myths About Cyber Risk Quantification

Many leading organizations have embraced cyber risk quantification to understand the financial impact of a cyber risk event. Still, mixed information and a need for more awareness around the concept have resulted in several myths. During a recent IT Risk Now webinar held by AuditBoard, I led an engaging panel discussion with three individuals who have been deeply involved in cyber risk quantification and addressed the most prevalent myths. This article will highlight the webinar’s key points, including discussions on complexity, ROI, and stakeholder perception. 

Myth 1: Cyber risk quantification is too complex.

Cyber risk quantification can be complex, but several tools and resources are available to make it more accessible to organizations of all sizes. Additionally, there are many cyber risk quantification methods so organizations can choose the most appropriate for their needs. Steve Hindle, Founder & Board Advisor at Achilles Shield, pointed out that “people are moving away from qualitative models and toward quantitative or hybrid models.” He also explained that cyber risk models, like the Factor Analysis of Information Risk (FAIR) model, have been around for quite a while, and the “model is built into many application stacks that will help organizations deliver risk quantification through their tools, infrastructure, and software.” 

FAIR defines cyber risk as the probable frequency and probable magnitude of future loss. The model considers three factors when calculating risk:

• Asset value: The value of the asset that is at risk.
• Threat: The likelihood and capability of an attacker to exploit a vulnerability.
• Vulnerability: A weakness in an asset that an attacker could exploit.

The FAIR model uses these factors to calculate a risk score for each cyber risk. The risk score is represented in dollars, which makes it easy to compare different risks and prioritize remediation efforts.

While the panelists agree that using a model like FAIR may be difficult for an individual practitioner, you are not alone. Candice Wold, Director of Security GRC at Salesforce, reminded the audience that “you can find somebody that can help you with cyber risk analysis so that you can hit the ground running and be more effective. You can get somebody to help you based on the maturity of your organization.”

Myth 2: Cyber risk quantification has no ROI. 

Cyber risk quantification can help organizations save money in the long run by preventing costly cyber attacks. Organizations can also use cyber risk quantification to make informed decisions about cybersecurity investments. Alexis C. Bell, Founder & CEO of Fraud Doctor, said that understanding cyber risk quantification “can help communicate risk to your board.” When you can speak about cyber risk in financial terms, “business decisions can be made in an educated fashion because those risks can then be compared to other operational and business risks.”

Investment in cybersecurity controls can be costly, and control processes have a varying degree of threat prevention. Presenting different scenarios to management and asking for a budget to implement the controls based on a purely subjective assessment will be hard to justify. Candice Wold commented, “It’s important to remember the goal of why you are quantifying risk and why you are risk modeling in the first place. You must be able to speak the quantitative language to determine which risks you are buying down by implementing certain cybersecurity measures.” 

Myth 3: Cyber risk quantification leads to a false sense of security.

The panel discussion included an interesting conversation on how cyber risk quantification could give the board a false sense of security. Candice Wold said, “Risk professionals do not deal in absolutes – there is no such thing as 100% security.” She said that through quantification, “you are giving them an educated basis on which to prioritize their funding. You are not eliminating all of these risks. You are reducing the top ones. Reducing your chances does not reduce anything to zero.” Ultimately, we are describing the anticipated residual risk based on the cybersecurity controls in place or considering additional investment.  

Alexis C. Bell added that we will work within the board’s risk appetite. “The Board has to decide what percentage of revenue they are willing to lose.” During the year, the organization can adjust the control environment based on performance against that measurement. Speaking to the illustration below, she stated that knowing their tolerance “helps you gauge if we are performing at the level that we thought we would relative to our risk appetite. If it goes above the trigger amount, you have a predefined management action.” 

Candice Wold added that while everything seems vital in cybersecurity, we need “to make sure that we’re calling out those highest, most critical risks in terms that the business understands. To do that, we have to use models and languages that they’re more familiar with.” The Board can better compare technical and other business risks by putting cyber risk into financial materiality terms. 

Benefits of Quantitative Cyber Risk

During the discussion, Candice Wold summed up the benefit of pursuing cyber risk quantification. She said, “The result is much more substantiated and defensible than working with the purely qualitative models.” 

Considering the increasing sophistication and frequency of cyber attacks and their potentially devastating impact on an organization, information security professionals must ensure senior leaders in their organization give these risks appropriate attention. Steve Hindle reminded us that the reality of today’s environment is that we live in a time where “a lack of focus on foundational preparedness means it’s not if we will get breached, it’s more likely to be when.” 

If we continue to present qualitative assessments only, we are missing the opportunity to provide our organizations with the complete cyber risk picture.