Cyber risk are trigger words for individuals and corporations alike – from a mental check-up on personal password quality to anxiety over a security breach that leads to unwelcome headlines and unwanted complaints.
For companies, cyber risks can take the form of a data breach accompanied by a ransom demand or a state-linked malware attack aimed at causing mass disruption.
While many businesses are taking stock of such cyber risks, the common control maturity approach is unlikely to capture the full profile of the risks faced, in particular the potential financial cost to a company.
This maturity assessment, looking at how formal and structured controls are – often based around the National Institute of Standards and Technology’s Cybersecurity Framework – identifies what controls exist and scores their maturity level. However, these scores (between 1 and 4) are not readily understood by non-cyber professionals, such as board members.
This also doesn’t tell a business how great or likely a threat is, so it can’t be used to place a monetary value against the cyber risk, making it hard for strategic judgement or cyber risk investment decisions.
Risk = Impact x Likelihood
Taking a risk-based, rather than control-based, approach starts with identifying and assessing inherent risk, before assessing the controls in place.
These steps lead to a level of residual risk (inherent risk - controls = residual risk), which should be a defined and automated step to avoid subjectivity.
This has major organizational benefits: capturing the true profile of a cyber risk and a sense of what control measures are in play. It can be used – with a company’s risk appetite – to identify actions: avoid, transfer, mitigate or accept risk.
Quantified risk
At the inherent risk assessment stage, the likelihood and impact can be given a quantifiable metric. An unlikely risk could be a “once in eight years” scenario. At the other end of the scale, an almost certain risk could be a cyber event that takes place at least once per year.
As for impact, a similar range can be used and given monetary value aligned with an organization’s revenue and profit: major could be a $10m scale cyber risk, while low might be less than $500k, with moderate and high in between.
The impact can also be more accurately assessed by breaking it out across the following pillars and allocating an impact level to each one from major to low:
Impact pillars
- Financial
- Operational
- Regulatory
- Legal
- Brand and reputational
With this measurement, the cyber risk becomes more relatable at board level and makes it easier to assess what action to take.
How to rank impact
To land on an accurate judgement of inherent risk, these five pillars isolate what would happen if a major cyber attack or incident occurs. Take the brand and reputational pillar – a major impact here could be defined as severely damaging an organization’s image, with multiple internal and external accusations, severe customer loss, a significant negative impact on market value and unwanted international media attention.
A low cyber risk impact may look more like possible complaints from affected individuals and groups, but no market value impact at all and no media attention.
By completing the same type of assessment across all five pillars, an average impact can be determined. A risk matrix can then be used to plot the impact x likelihood. This matrix can also take the low to major ranking to gauge inherent risk. Here, if a cyber risk is assessed to be of moderate impact but likely to occur, it is inherently high risk.
Matching inherent risk with controls
The approach combines this risk assessment with a control assessment, rather than relying on a control maturity only. This should be done with a defined model to assess the control design and operating effectiveness. These two measures can be combined to give one of three ratings:
- Effective
- Partially effective
- Ineffective
This model should then combine the inherent risk score with the control score, leaving the residual risk. For example, effective control could reduce the likelihood or probability of a risk occurring, therefore reducing the overall risk to the organization. Using the approach set out here, this can be presented in monetary terms.
A cyber risk rated as moderate (using residual risk) poses the potential for $500k to $2m in losses over the next 5 to 7 years. That’s an assessment that can be used, in line with the risk appetite of an organization, to plan and act.
Competitive advantage
This level of insight and understanding will lead to better resource allocation to where the biggest cyber risks are, on a quantified, monetary basis, rather than a discretionary hunch.
Cyber risk assessment in monetary terms could also enable a capital allocation to cyber risk on a knowledge-led basis and, in an acquisition process, lead to better-informed investment decisions.
Even where more detail is required, such as where multiple risk scenarios are defined, this approach can be used. A robust overall residual cyber risk level can be communicated at a leadership level and to broader stakeholder groups – where the detailed scenarios are of less interest – by taking the principle of an average risk across five pillars and creating an aggregated risk level (from multiple scenarios).
Senior stakeholder engagement will rise, particularly when the hard numbers beyond the often-intangible nature of cyber risk are revealed – an almost guaranteed sharpening of focus and strong likelihood of striking a much more competitive stance in an increasingly complex and volatile risk arena.
For more detail, download the PDF report below: