In this article:
Cybersecurity practitioners often combine the terms vulnerability, threat, and risk. Sorting out the definitions for these and understanding all the risk components improves the usefulness of cyber risk scenarios in the cyber risk quantification process.
In simple terms, cyber risk is composed of a condition and a consequence:
- A condition defines a situation or scenario that has the potential to cause organizational disruption.
- A consequence refers to the impact of the condition if realized.
These elements compose a risk narrative that an organization must consider in cyber risk quantification.
Seven key elements that together describe a cyber risk condition:
- Actor: A person or group who would perpetrate the actions that result in a cyber risk event. The actor could be known, such as a cybercrime syndicate or a nation-state, or unknown. The actor could also be an insider.
- Motive: The reason why the actor takes the action. Common motives include financial gain, political gain, ideological motivations, competitive gain, and societal disruption or activism.
- Means: The tactics, techniques, and procedures (TTP) an actor uses to accomplish the attack. These can include using phishing techniques, malware, physical access, a DDoS routine, or a supply-chain compromise. These TTPs are often automated and require very little technology or cyber knowledge.
- Opportunity: The availability of the TTP needed for an attack and favorable conditions that would optimize the attack’s success. For example, failing to patch a vulnerability for an extended time increases the opportunity for an attacker to exploit the vulnerability.
- Weakness or Vulnerability: The specific weakness in cybersecurity posture that creates the conditions necessary for an actor with the means, motive, and opportunity to attack successfully. Vulnerabilities are not only defined by unpatched software defects or “bugs” identified and communicated by vendors. An exposure can be any other weakness in an organization’s system of cybersecurity controls or defense-in-depth structure.
- Negative or Undesired Outcome: Often overlooked as a part of defining a cyber risk condition, somebody must identify the undesired outcome resulting from the actions taken by an actor. The outcomes do not determine the impact of cyber risk but instead, the conditions that could negatively impact the organization. For example, adverse effects can include disclosure of data, interruption of a process, data destruction or modification, loss of key personnel, or physical damage to an asset. These unwanted outcomes could likely impact the organization from a loss perspective, but not always. However, they are informative about the consequences of risk, considering the impact on the organization. By this definition, the cyber risk condition is also a robust articulation of a threat, which, as described above, includes a weakness or vulnerability as a critical component. All organizations have known shortcomings and vulnerabilities. Additionally, where no weakness or vulnerability is identifiable, a threat may not exist.
Assuming there is an articulated condition, the condition’s consequences are examinable. The consequence variable in the cyber risk equation is the most important for establishing the impact on an organization and for performing cyber risk quantification.
The consequence defines the real-world impact of an undesired or harmful outcome of a threat. Consequences represent the actual and quantifiable effects the organization might realize if the condition and its adverse outcome occurred. These effects are characterized by impact areas or classes, such as reputation, life, safety, and health; financial impacts; labor costs and productivity, etc. Use these impacts to understand the degree to which an undesired or harmful outcome has tangible effects to consider as part of risk analysis.
Using the Axio Cyber Risk Quantification Method, the conditions of cyber risk are articulated as cyber risk events and described in scenarios that represent potential cyber threats to the organization. The consequences of cyber risk are identified by considering and selecting related Impact Classes and documenting impacts according to Axio’s four impact categories: First-Party Financial impacts, First-Party Tangible impacts, Third-Party Financial impacts, and Third-Party Tangible impacts. (The Axio Impact Descriptions describe the impacts in each category.) Formulas and Estimated Values transform impacts into usable risk quantification. Thus, by defining a cyber risk condition and its related consequences, a cyber risk can be expressed quantitatively against potential control initiatives, or risk mitigation actions can be measured for effectiveness.