While delivering our cyber projects, we consistently realise that boards, executive management, and technology leaders often struggle to be on the same page.
This is primarily because business executives and security professionals seldom speak the same language, and the main reason for this discrepancy is the absence of business context. This is especially true in the estimation of risks and financial impact associated with cyber-attacks.
Most traditional approaches to identifying the impacts of cyber incidents focus on the direct costs associated with the theft or loss of information like business disruptions, regulatory penalties, contractual non-compliance, etc., which account for less than 15-20% of the total cost associated with a cyber incident.
While this is helpful in certain situations, it does not account for the number of other beneath the surface and far-reaching intangible cost parameters that are both more difficult to quantify and often hidden from public view like intellectual property loss, increase in insurance premium, increased cost to raise debt, reputation loss leading to plummeting stock prices leading to losses of investors’ money, loss of human life, decreased brand valuation for M&A deals, national security issues, or loss of customer relationship.
Today, most organisations leadership understands that cyber incidents may begin as a technology issue, but these typically extend well beyond the technology domain. These events can hit the very heart of business value and performance. These hidden costs may have a direct impact on the survival of the business itself.
‘FAIR’ risk analysis
To understand cyber risks and their impact, organisations have been traditionally following the practice of conducting risk valuation based on the probability of an occurrence and the qualitative impact, which is subjective, ambiguous, and qualitative. This hinders the appropriate prioritisation of risks, leading to inappropriate cybersecurity budget allocation, investment, and mitigation strategies.
Cyber Risk Quantification (CRQ), by definition, is a method to express risk exposure for an organisation in business-relevant terms. CRQ is revolutionising the cyber risk management function as organisations have started assessing risks quantitatively rather than qualitatively. It is more proactive in terms of identifying and addressing emerging risks much before they become a substantial threat. Organisations can model risk and measure the impact in case the risk materializes.
One of the most used methods for cyber risk quantification is Factor Analysis of Information Risk (FAIR), where risk is assessed based on two quantifiable values: Loss event frequency and loss event magnitude. Organisations typically employ technology platforms that are easily integrated, scalable, and user-friendly for calculating quantified values for their risks, as it involves calculations around numerous variables.
The reason cyber risk quantification models haven’t lived up to expectations is the lack of accurate and complete historical information about the current security posture, vulnerabilities, trustworthy threat intel feeds, accurate asset inventory, and incident response and recovery costs. The output of these models is only as good as the inputs provided.
A proactive view of risk landscape
The success of any cyber risk quantification model is determined by the skill set of the team preparing the input and the technology partner capable of customising their solution to meet the organisation’s needs. If done appropriately, CRQ can be instrumental in various areas, including calculating the return on cyber investments, conducting cost-benefit analysis, optimising cyber insurance coverage and premiums, providing inputs for valuation in M&A deals, addressing upcoming regulatory requirements, evaluating the real impact of third parties, presenting cyber risk in business terms, and enabling quick decision-making.
Currently, cyber risk quantification is at a very nascent stage in India and organisations tend to test the waters through a proof-of-concept route on a particular risk assessment use case, mostly in combination with other qualitative methods. With the evolving cyber risk landscape, cyber risk quantification will gain more prominence, enhancing organisations’ current risk management capabilities, giving them a 360-degree proactive view of their risk landscape, and enabling informed decision-making.
(This article is authored by Vikas Garg, Partner, Deloitte India and David George, Director, Deloitte India)
