Cyber Risk Quantification
Cyber risk is a top concern for many organizations, but it is often not evaluated in a means that the business can understand. Many organizations measure cyber risk using terminology like “high, medium, low,” or “red, yellow, green,” but these terms are directional at best, providing essentially no visibility into real financial exposure. Such qualitative approaches do not give CEOs and other decision makers the information they need to know how and where to invest to minimize their risk effectively. These antiquated methods also do not generate defensible outcomes.
Cyber leaders need an approach to cyber risk management that helps them decide what controls—financial, technical, physical, and administrative—to prioritize and invest in, as well as to determine when it makes financial sense to accept risk rather than mitigate it. To do this, organizations need to understand how cyber events could impact their bottom line. Risk quantification provides the capability to translate cyber risk into monetary values.
High-profile cyberattacks in recent years, such as the infamous Equifax data breach in 2017, when hackers stole the information of 147 million Americans, highlight what can happen when CEOs and cyber leaders aren’t in sync. Research firm Gartner analyzed the former Equifax CEO’s congressional testimony regarding the incident and found “a disconnect between executive understanding and levels of cybersecurity capabilities in the organization.”
To solve this problem, cybersecurity executives must present cyber risk to CEOs and other executives in business and financial terms. Risk quantification allows the business to understand and communicate exposure to cyber events and make informed decisions for risk mitigation. In addition, quantification can provide a cumulative and monetized view of all risks to which the organization is exposed.
Quantifying cyber risk provides security leaders the ability to convey the potential business impact of cyber incidents to the C-suite. By assigning a “price tag” to cyber risk, organizations can prioritize and substantiate security investments, focus their limited resources on what matters most, and align cyber strategies with desired business outcomes.
While the argument for cyber risk quantification is grounded in proven risk theory, challenges to the viability and usefulness of cyber risk quantification are common. These are some common objections to CRQ, along with Axio’s views on the issues:
Axio’s view: While there may be an initial learning curve to understanding the process of cyber risk quantification, the underlying math is not difficult and is composed of easy-to-understand formulas.
Axio’s view: The goal of cyber risk quantification is not perfection but rather to provide useful information to reduce the level of uncertainty. By collecting relevant data and applying common risk analysis methods, a range of potential outcomes can be examined, providing quicker and more reliable decision making than can be achieved through qualitative methods.
Axio’s view: While it is true that all risk quantification methods rely on the quality of data input, the challenges in obtaining useful cyber data are not a barrier to risk quantification. Although historical data on cyber events in an organization may not be available, there are many sources of data that are useful in cyber risk quantification. These include expert organizational knowledge, external data sources, and subject matter expert knowledge. And as new, updated, or historical data becomes available, data inputs can be refined to further reduce the level of uncertainty.
Axio’s view: Quantifying cyber risk in monetary terms is much easier to defend than arbitrary values like “low, medium, high” or “red, yellow, green.” The formulas used in cyber risk quantification are easy to understand, and as a result the underlying math can be clearly demonstrated. Because the data used in cyber risk quantification comes largely from the organization itself, risk calculations inherently reflect the organization’s viewpoint.
Axio’s Cyber Risk Quantification (CRQ) Method and the SaaS-based Axio360 Platform that powers it give companies the tools they need to determine how to guard against losses today and plan for how to protect their operations tomorrow.
The Axio CRQ Method starts with the identification of a company’s essential functions—the operational processes and organizational initiatives that are required to achieve the mission. Cyber events can disrupt the success of these functions by affecting the people, processes, and technologies that support and sustain them. Identifying what is most important to achieving the company’s mission and creating value for customers makes it possible to frame cyber risk in a business-centric approach that ensures the input and participation of team members from across the company. Further, instead of cybersecurity or IT personnel deciding which controls to put in place, leaders from every unit weigh in on what business operations and outcomes the company needs to prioritize. A shift from subjective risk ratings owned by the cybersecurity team to business-centric risk analysis with broad stakeholder involvement is key to a cyber risk quantification approach. With a common understanding of what is most important, stakeholders can identify plausible cyber incidents, or “cyber risk scenarios,” that could disrupt or destroy the assets—people, technology, data, and facilities—that support essential business operations. Because they “own” these critical operational processes, they are best equipped to identify cyber risks that could seriously impair their successful operation.
Once mission-critical functions are identified, stakeholders can begin to analyze the financial impact of these plausible cyber risk scenarios if realized. This is performed by building formulas that contain variables that the organization can easily estimate, such as the cost of labor, and computing the results. Users of the Axio360 Platform have several ways to quantify the impact of a risk scenario. The Platform includes a library of standard formulas to correspond to common types of organizational impacts. Users can also develop their own custom formulas or simply create a range of potential values—minimum, expected, or maximum—that could represent a financial impact. These inputs are then used to simulate a range of potential financial outcomes for a given cyber event. This approach ensures that stakeholders have complete transparency and visibility into the quantification calculation and, importantly, can “see” the potential impact on the bottom line. By knowing this, business leaders can take action to minimize cyber risk by reducing their susceptibility to the scenario or improving their ability to minimize financial losses—or both.
Axio’s unique Control Initiatives method helps stakeholders optimize their entire portfolio of controls— financial, technical, physical, and administrative. The Control Initiatives method allows companies to demonstrate how changing one or more controls would affect cyber risk exposure. Improvements in controls can be examined in terms of a reduction in financial exposure; conversely, the effect of removing controls can be expressed in the amount of additional financial loss that could be incurred. With this knowledge, organizations can make better investment decisions balanced with risk reduction and ensure that a return on investment can be realized through potential cost avoidance.
Axio’s methodology and process are grounded in its belief that cyber risk quantification must be transparent, efficient, and actionable—so cybersecurity leaders can quickly and easily translate their cyber risk into clear business terms.
Axio’s methodology is built on transparency. Clients own—and have access to—every input. Axio360 lets users show their work, giving them the ability to control and understand each calculation, assumption, and justification.
Axio’s method and platform enable businesses to assess and start improving their cyber risk program in a matter of hours (without an army of staff or consultants). And Axio and its partners have deep and wide-ranging experience. Their knowledge, combined with their ability to draw insights from the Axio community of users, positions them to help companies figure out where to start their cyber risk quantification process. With Axio360, businesses are in control of their cyber risk management process. The platform is easy to use and highly configurable. It is painless for companies to update their information when situations change. The platform can even be connected to certain company-internal sources of data for dynamic updating of key information.
Axio takes a holistic view of cybersecurity by combining Cyber Program Planning and Management, Cyber Risk Quantification, and Insurance Stress Testing modules in one platform. Quick view and summary results are provided in Axio360’s dynamic dashboards and generated reports. This comprehensive approach gives business leaders the ability to quickly prioritize what matters most—and act. Companies can create and manage a work plan in Axio360 to improve their cyber return on investment and cost reduction.
Axio has re-engineered cyber risk quantification as a business-centric, efficient, and transparent process. The need for perfect, historical data has been eliminated, ensuring that useful outcomes can be achieved with organizational knowledge and easily obtained information. As a result, cyber investment decisions can be supported with quantifiable formulas that are easily configurable as conditions change.
The Axio Cyber Risk Quantification Method is put into action through the Axio Cyber Risk Quantification Workshop, using the Axio360 Cyber Risk Quantification module. In a one-day workshop or a series of virtual meetings, participants brainstorm cyber risk scenarios, stating them in brief descriptions. They then decide which of them are of most relevance and potential impact for their organization. Participants describe those scenarios in more detail and then estimate the potential costs of impacts such as forensics expenses, legal advice costs, and lost income from outages. Participants can also define different sets of Control Initiatives to see their effects on the scenarios.
After the workshop is complete, each scenario and its financial impact is available in the Axio360 platform. Scenarios can be updated as procedures or controls are implemented that would contribute to preventing, detecting, or reducing the impact of the event.
Last modified 3mo ago