In this article:
Why Quantify Risk
Cyber risk is a top concern for many organizations, but it is often not evaluated in a way the business can understand. Many organizations measure cyber risk using terminology like “high, medium, low,” or “red, yellow, green,” but these terms are directional at best, providing essentially no visibility into real financial exposure. Such qualitative approaches do not give CEOs and other decision-makers the information they need to know how and where to invest to minimize their risk effectively. These antiquated methods also do not generate defensible outcomes.
Cyber leaders need an approach to cyber risk management that helps them decide what controls—financial, technical, physical, and administrative—to prioritize, invest in, and determine when it makes economic sense to accept risk rather than mitigate it. Organizations must understand how cyber events could impact their bottom line. Risk quantification provides the capability to translate cyber risk into monetary values.
High-profile cyberattacks in recent years, such as the infamous Equifax data breach in 2017, when hackers stole the information of 147 million Americans, highlight what can happen when CEOs and cyber leaders aren’t in sync. Research firm Gartner analyzed the former Equifax CEO’s congressional testimony regarding the incident and found “a disconnect between executive understanding and levels of cybersecurity capabilities in the organization.”
To solve this problem, cybersecurity executives must present cyber risks to CEOs and other executives in business and financial terms. Risk quantification allows the company to understand and communicate exposure to cyber events and make informed decisions for risk mitigation. In addition, quantification can provide a cumulative and monetized view of all risks to which the organization is exposed.
Quantifying cyber risk allows security leaders to convey the potential business impact of cyber incidents to the C-suite. Organizations can prioritize and substantiate security investments by assigning a “price tag” to cyber risk, focusing their limited resources on what matters most, and aligning cyber strategies with desired business outcomes.
Common Objections to Cyber Risk Quantification
While the argument for cyber risk quantification is grounded in proven risk theory, challenges to the viability and usefulness of cyber risk quantification are common. These are some common objections to CRQ, along with Axio’s views on the issues:
Cyber Risk Quantification is difficult to measure
Axio’s view: While there may be an initial learning curve to understanding the process of cyber risk quantification, the underlying math is not complex and is composed of easy-to-understand formulas.
The results of Cyber Risk Quantification may not be accurate or not “correct”
Axio’s view: The goal of cyber risk quantification is not perfection but providing helpful information to reduce uncertainty. By collecting relevant data and applying standard risk analysis methods, a range of potential outcomes are examined, providing quicker and more reliable decision-making than can be achieved through qualitative methods.
We do not have the data to quantify cyber risk
Axio’s view: While it is true that all risk quantification methods rely on the quality of data input, the challenges in obtaining valuable cyber data are not a barrier to risk quantification. Although historical data on cyber events in an organization may not be available, many data sources are helpful in cyber risk quantification. These include expert organizational knowledge, external data sources, and subject matter expert knowledge. Users refine data inputs to reduce uncertainty as new, updated, or historical data becomes available.
Quantified risk results are hard to defend
Axio’s view: Quantifying cyber risk in monetary terms is much easier to defend than arbitrary values like “low, medium, high” or “red, yellow, green.” The formulas used in cyber risk quantification are easy to understand, so the underlying math is clearly demonstrated. Risk calculations inherently reflect the organization’s viewpoint because the data used in cyber risk quantification comes mainly from the organization.
The Axio Cyber Risk Quantification Method
Axio’s Cyber Risk Quantification (CRQ) Method and the SaaS-based Axio360 Platform that powers it give companies the tools they need to determine how to guard against losses today and plan for how to protect their operations tomorrow.
Identify Mission-Central Parts of the Business That Could Be Impacted by a Cyber Event
The Axio CRQ Method starts with identifying a company’s essential functions—the operational processes and organizational initiatives required to achieve the mission. Cyber events can disrupt the success of these functions by affecting the people, processes, and technologies that support and sustain them.
Identifying what is most important to achieving the company’s mission and creating value for customers makes it possible to frame cyber risk in a business-centric approach that ensures the input and participation of team members from across the company. Further, instead of cybersecurity or IT personnel deciding which controls to implement, leaders from every unit weigh in on what business operations and outcomes the company needs to prioritize. A shift from subjective risk ratings owned by the cybersecurity team to business-centric risk analysis with broad stakeholder involvement is critical to a cyber risk quantification approach.
With a shared understanding of what is most important, stakeholders can identify plausible cyber incidents, or “cyber risk scenarios,” that could disrupt or destroy the assets—people, technology, data, and facilities—that support essential business operations. Because they “own” these critical operational processes, they best identify cyber risks that could seriously impair successful operations.
Analyze the Financial Impact of Plausible Cyber Events
With mission-critical functions identified, stakeholders can begin to analyze the financial impact of these plausible cyber risk scenarios if realized. Build formulas that contain variables that the organization can easily estimate, such as labor costs, and compute the results.
Users of the Axio360 have several ways to quantify the impact of a risk scenario. Axio360 includes a library of standard formulas corresponding to common types of organizational impacts. Users can also develop custom formulas or create a range of potential values (minimum, expected, or maximum) that could represent a financial impact. These inputs simulate a range of possible financial outcomes for a given cyber event. This approach ensures that stakeholders have complete transparency and visibility into the quantification calculation and can “see” the potential impact on the bottom line. By knowing this, business leaders can take action to minimize cyber risk by reducing their susceptibility to the scenario or improving their ability to minimize financial losses—or both.
Optimize the Entire Portfolio of Controls
Axio360’s unique Control Initiatives method helps stakeholders optimize their entire portfolio of controls, such as financial, technical, physical, and administrative. The Control Initiatives method allows companies to demonstrate how changing one or more controls would affect cyber risk exposure. Companies can examine improvements in controls in terms of a reduction in financial exposure; conversely, the effect of removing controls expresses the amount of additional financial loss the company could incur. With this knowledge, organizations can make better investment decisions balanced with risk reduction and ensure the return on investment is realizable through potential cost avoidance.
Axio Makes Cyber Risk Quantification Accessible
Axio’s methodology and process are grounded in its belief that cyber risk quantification must be transparent, efficient, and actionable. Cybersecurity leaders can quickly and easily translate their cyber risk into clear business terms.
Transparent
Axio’s methodology builds on transparency. Clients own and have access to every input. Axio360 lets users show their work, allowing them to control and understand each calculation, assumption, and justification.
Efficient
Axio’s method and platform enable businesses to assess and improve their cyber risk program in hours (without an army of staff or consultants). Axio and its partners have profound and wide-ranging experience. Their knowledge, combined with their ability to draw insights from the Axio community of users, positions them to help companies figure out where to start their cyber risk quantification process. With Axio360, businesses are in control of their cyber risk management process. The platform is easy to use and highly configurable. It is painless for companies to update their information when situations change. Axio360’s integrates with company-internal data sources to dynamically update key information.
Actionable
Axio takes a holistic view of cybersecurity by combining Cyber Program Planning and Management, Cyber Risk Quantification, and Insurance Stress Testing modules in one platform. Axio360’s dynamic dashboards and generated reports provide quick view and summary results. This comprehensive approach allows business leaders to prioritize what matters most and act. Companies can create and manage a work plan in Axio360 to improve their cyber return on investment and cost reduction.
Bottom Line
Axio has re-engineered cyber risk quantification as a business-centric, efficient, and transparent process. Eliminating the need for perfect historical data and achieving proper outcomes with organizational knowledge and easily obtained information. As a result, cyber investment decisions are supported with quantifiable formulas that are easily configurable as conditions change.
How It’s Done
The Axio Cyber Risk Quantification Method is implemented through the Axio Cyber Risk Quantification Workshop, using the Axio360 Cyber Risk Quantification module. Participants brainstorm cyber risk scenarios in a one-day workshop or a series of virtual meetings, stating them in brief descriptions. They then decide which are most relevant and their potential impact on their organization. Participants describe those scenarios in more detail and then estimate the potential costs of impacts such as forensics expenses, legal advice costs, and lost income from outages. Participants can also define different sets of Control Initiatives to see their effects on the scenarios.
After the workshop, each scenario and its financial impact are available on the Axio360 platform. Update scenarios when implementing procedures or controls that prevent, detect, or reduce the impact of an event.