What is Cyber Risk

Cybersecurity practitioners often combine the terms vulnerability, threat, and risk. Sorting out the definitions for these, as well as understanding all the components of risk, significantly improves the usefulness of cyber risk scenarios to be used in the cyber risk quantification process.
In simple terms, a cyber risk is composed of a condition and a consequence:
  • A condition defines a situation or scenario that has the potential to cause organizational disruption.
  • A consequence refers to the impact that the condition would result in if realized.
When combined, these elements compose a risk narrative that an organization must consider in cyber risk quantification.

Cyber Risk Conditions

From a cyber perspective, there are seven key elements that together describe a cyber risk condition:
  • Actor – A person or group who would perpetrate the actions that result in a cyber risk event. The actor could be known, such as a cybercrime syndicate or a nation-state, or unknown. The actor could also be an insider.
  • Motive – The reason why the actor takes the action. Common motives include financial gain, political gain, ideological motivations, competitive gain, and societal disruption or activism.
  • Means – The tactics, techniques, and procedures (TTP) used by an actor to accomplish the attack. These can include using phishing techniques, malware, physical access, a DDoS routine, or a supply-chain compromise. These TTP are often automated and require very little technology or cyber knowledge.
  • Opportunity – The availability of the TTP needed for an attack, as well as favorable conditions that would optimize the success of the attack. For example, failing to patch a vulnerability for a long period of time increases the window of opportunity for an attacker to exploit the vulnerability.
  • Weakness or Vulnerability – The specific weakness in cybersecurity posture that creates the conditions necessary for an actor with the means, motive, and opportunity to successfully attack. Vulnerabilities are not only defined by unpatched software defects or “bugs” that are identified and communicated by vendors. A vulnerability can be any other weakness in an organization’s system of cybersecurity controls or defense-in-depth structure.
  • Negative or Undesired Outcome – Often overlooked as a part of defining a cyber risk condition, the undesired outcome resulting from the actions taken by an actor must be identified. Keep in mind that the outcomes do not define the impact of a cyber risk, but instead the conditions that could impact the organization in a negative way. For example, negative outcomes can include disclosure of data, interruption of a process, data destruction or modification, loss of key personnel, or physical damage to an asset. It is likely that these unwanted outcomes could impact the organization from a loss perspective, but not always. But they are informative to the consequences of risk where impact to the organization is considered. By this definition, the cyber risk condition is also a robust articulation of a threat, which, as described above, includes a weakness or vulnerability as a key component. All organizations have known weaknesses and vulnerabilities, but where the other elements of a threat—actor, means, motive, and opportunity—are not present, it is likely that a threat has not been created. Additionally, where no weakness or vulnerability can be identified, a threat may not exist.

Cyber Risk Consequences

Assuming there is an articulated condition, the consequences of the condition can be examined. The consequence variable in the cyber risk equation is the most important for establishing how the organization is impacted, and for performing cyber risk quantification.
The consequence defines the real-world impact of an undesired or negative outcome of a threat. That is, consequences represent the actual and quantifiable effects that might be realized by the organization if the condition and its negative outcome occurred. These effects are typically characterized in terms of impact areas or classes, such as reputation; life, safety, and health; financial impacts; labor costs and productivity, etc. These impacts can be used to understand the degree to which an undesired or negative outcome has tangible effects that must be considered as part of risk analysis.

Conditions and Consequences in the Axio Cyber Risk Quantification Method

Using the Axio Cyber Risk Quantification Method, the conditions of cyber risk are articulated as cyber risk events and described in scenarios that represent potential cyber threats to the organization. The consequences of cyber risk are identified by considering and selecting related Impact Classes and documenting impacts according to Axio’s four impact categories: First-Party Financial impacts, First-Party Tangible impacts, Third-Party Financial impacts, and Third-Party Tangible impacts. (The impacts in each impact category are described in the Axio Impact Descriptions appendix.) Formulas and Estimated Values are used to transform impacts into usable risk quantification. Thus, through the definition of a cyber risk condition and its related consequences, a cyber risk can be expressed in quantitative terms against which potential Control Initiatives or risk mitigation actions can be measured for effectiveness.