Find out how you can improve your business security by measuring cybersecurity risk using statistical analysis.
Businesses and organizations are more at risk of cyberattack than ever before. Calculating that risk, however, is no easy task. Here, we will provide an overview of traditional methods, as well as a glimpse into what could be the future of measuring cybersecurity risk: statistical analysis.
Cybersecurity risk is the likelihood that your organization will suffer from disruptions to data, finances, or online business operations. This type of risk is most often associated with events that could ultimately result in a data breach. Breaches, ransomware, phishing, and malware are the most common threats to cybersecurity that most organizations will face.
The cost of a cyberattack can be painfully high, and sometimes high enough to shut down business operations completely. Research from 2020 suggests that $2.9 million is lost to cybercrime every minute, and that the average cost of a data breach in 2020 was $3.86 million.
As cybersecurity threats continue to evolve, it is important to understand how to predict cybersecurity risk adequately so that you can protect your organization from future attacks and the resulting financial burden.
But how do you calculate the risk that threats to cybersecurity pose?
Many organizations turn to external advisers who can provide real-time risk metrics for their enterprise. A recent analysis of the “cybersecurity risk metrics market” shows that the rise of adversaries, boardroom pressures, and financial losses has led to an emerging force of underwriters, brokers, and consultants to help chief information security Officers (CISOs) answer to the C-suite and the boardroom.
Keeping your data safe, however, is expensive. Many smaller organizations can’t afford to hire an outside company to measure risk for them.
Whether your organization hires someone to do that work for you or you use your own team of security professionals to measure cyber risk, it’s likely your cyber risk will be calculated using traditional “High-Medium-Low” categories.
Some security experts argue that using these “unproven” qualitative methods leads to inconsistencies in forecasting by up to 20 percent. Instead, they suggest using statistical analysis as a means to measure cybersecurity risk.
Regardless of the method you choose, you still need to measure risk somehow. We’ll first take a closer look at the High-Medium-Low model most often used in cyber risk assessments. Then we’ll examine how statistical analysis might be better for your business instead, and what tools you can use to help.
How Do You Measure Cybersecurity Risk?
The terms “vulnerability” and “cyber risk” are used interchangeably, but they are not the same. A vulnerability is a weakness that results in unauthorized network access when exploited. A cyber risk is the probability of a vulnerability being exploited.
To calculate cyber risk, many use this simple framework:
Cyber Risk = Threat x Vulnerability x Information Value
Usually the process of measuring cybersecurity risk begins with a vulnerability assessment.
A vulnerability assessment is a systematic review of the security weaknesses in an information system. It evaluates whether or not your system is susceptible to any known vulnerabilities, assigns a severity level to them, and recommends remediation or mitigation.
The three factors that influence a risk vulnerability assessment are:
- What is the threat?
- How vulnerable is the system?
- What is the reputational or financial damage if the system is breached or made unavailable?
After you conduct a vulnerability assessment to identify and prioritize your vulnerabilities, you would typically conduct a cyber risk assessment to measure the information value and threat components in the equation above.
Cyber risk assessments are defined by the National Institute of Standards and Technology (NIST) as assessments “used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the nation, resulting from the operation and use of information systems.”
The purpose of a cyber risk assessment is to analyze your cybersecurity risks to help inform stakeholders and decision-makers, as well as to support proper risk response. Cyber risk assessments also provide an executive summary to help stakeholders make informed decisions about security.
Most standards and certification tests promote risk analysis as a type of ordinal scoring method. The Risk Rating Methodology on OWASP.org states:
Once the tester has identified a potential risk and wants to figure out how serious it is, the first step is to estimate the likelihood. At the highest level, this is a rough measure of how likely this particular vulnerability is to be uncovered and exploited by an attacker. It is not necessary to be over-precise in this estimate. Generally, identifying whether the likelihood is low, medium, or high is sufficient.
Here are the steps that you would take to complete a thorough cyber risk assessment using the High-Medium-Low method to measure cybersecurity risk:
Determine information value. Before you begin this step, first define a standard for determining the importance of an asset. If you don’t have an unlimited budget for information risk management, you should limit your scope to just the most business-critical assets. Once the standard is incorporated into your organization’s information risk management policy, you should use it to classify each asset as critical, major, or minor.
Identify and prioritize assets. Identify your assets and determine the scope of the assessment. This will allow you to prioritize which assets you should assess. You don’t need to assess every building, employee, trade secret, vehicle, or piece of office equipment; not all assets have the same value.
Identify cyber threats. A cyber threat is a vulnerability that could be exploited, resulting in harm to your organization or stolen data. Hackers, malware, and other IT security risks are obvious threats, but others include natural disasters, system failure, human error, and adversarial threats such as third-party vendors. Threats that affect every organization include unauthorized access, misuse of information by authorized users, data leaks, loss of data, and service disruption. After you identify the threats your organization faces, you need to also assess their impact.
Identify vulnerabilities. Now that you’ve identified what might happen, you need to address what actually may happen. What are your vulnerabilities? A vulnerability is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive data. Find yours through vulnerability analysis, audit reports, the NIST vulnerability database, vendor data, incident response teams, and software security analysis. Examine both software-based and physical vulnerabilities during this step.
Analyze and implement new controls. Determine which controls are already in place to minimize or eliminate the probability of a threat or vulnerability. To implement new controls, use technical means (hardware, software, encryption, intrusion detection mechanisms, multi-factor authentication, automatic updates, continuous data leak detection) or non-technical (security policies, physical mechanisms like locks or keycard access, and so forth). Classify controls as preventive or detective. Preventive controls attempt to stop attacks, while detective controls work to discover when an attack has occurred.
Calculate the likelihood and impact of various scenarios annually. Now you have the information value, threats, vulnerabilities, and controls. Next, identify how likely it is that these cyber risks will materialize, and the harm if they do. Then you can use your findings to determine how much to allocate for mitigating each identified cyber risk.
Prioritize risks based on the cost of prevention versus information value. Determine action for senior management or other stakeholders to take to mitigate risk, using risk level as a basis.
- High risk: corrective measures should be developed as soon as possible.
- Medium risk: corrective measures can be developed within a reasonable period of time.
- Low risk: decide whether to accept the risk or mitigate it.
You’ve already determined the value of the asset and how much you should spend to protect it. Now you just need to decide whether it makes sense to use a preventive control to protect that asset, especially if that preventive step costs more than the asset is worth. Remember to evaluate both the reputational and financial impact during this step.
Document results from risk assessment reports. Finally, develop a risk assessment report to support management decision-making on budget, policies and procedures. Describe the risk, vulnerabilities, and value for each threat, along with the impact and likelihood of occurrence and control recommendations.
Although widely used, this High-Medium-Low qualitative method to calculate cybersecurity risk is still complex. It requires you to assign value to information as critical, major, or minor; calculate the likelihood and harm of various scenarios; and prioritize risks based on the cost of prevention versus information value using the High-Medium-Low method.
While it’s important to implement measures to defend against events that are likely to occur, it’s just as important to avoid preparing for events that aren’t likely to occur or won’t have much material harm to your organization.
Deciding which risks are the most critical, and which risks can be put aside and dealt with later comes down to probability: the likelihood that a cyberattack will occur and the consequences that come with it.
Determining your organization’s most critical assets and which pose the most cyber risk is no small task, and using qualitative methods to do so leaves you open to error.
As mentioned before, security professionals are often up to 20 percent inconsistent when employing the High-Medium-Low method of measuring cyber risk.
So, what is the alternative?
Cybersecurity Risk & Statistical Analysis
Statistical analysis is the science of collecting, exploring, and presenting large amounts of data to discover underlying patterns and trends. Although using statistical analysis to measure cyber risk may seem obvious, it’s actually not the traditional method of choice.
In his recent book, “How to Measure Anything in Cybersecurity,” Seiersen and co-author Douglas Hubbard advocate for risk management using probabilistic thinking and programming — in other words, statistical analysis.
Using statistical analysis to measure other types of risk is nothing new. Seiersen notes that “risks have been measured in far more complex situations — flooding, droughts, military logistics and such.” But when using statistical analysis to measure cybersecurity risk, the challenge seems to be how.
The first step is to convince skeptical security professionals that statistical analysis is a viable method for measuring cyber risk.
Sieiersen’s research shows that statistical literacy plays a large part in any objections to more quantitative approaches to cybersecurity, including statistical analysis.
Basically, security professionals who don’t understand how to interpret statistics are the most likely to doubt the untapped potential of statistical analysis.
Assigning probability, or determining the likelihood that certain risks will be exploited, sounds more complicated than it actually is.
For example, access to sensitive information makes a systems administrator more susceptible to a hack than someone who works as an intern. Your organization shouldn’t discount the possibility that other accounts might be hacked — but statistical analysis shows that the greatest risk lies in the system administrator’s account.
Using a mathematical technique like statistical analysis, you could actually measure the risk in this scenario: “the probability that the system administrator’s account will be hacked is X percent.”
In their book, Seiersen and Hubbard provide a number of statistical theories such as Bayesian statistics that could be used instead of qualitative risk matrices.
Bayesian statistics is a theory where probability expresses a degree of belief in an event, which may be based on prior knowledge about the event such as the results of previous experiments, or on personal beliefs about the event.
No matter which of those methods you use, Seiersen and Hubbard maintain that using statistical analysis to measure cybersecurity risk will provide more accurate predictions for your business.
Ultimately, the authors argue that organizations should stop using risk scores and risk matrices altogether, and that standards organizations should stop promoting them.
Instead, they suggest using simple probabilistic methods because they demonstrate a measurable improvement over unaided intuition, and because they have already proven to be effective.
They also believe that if risks and mitigation strategies are quantified in a more meaningful way using statistical analysis, decisions would be easier to support.
For those who believe that cybersecurity is too complex or lacks sufficient data for quantitative analysis, Hubbard and Seiersen remind us that “softer methods never alleviate a lack of data, complexity, rapidly changing environments or unpredictable human actors… they can only obscure it.”
Using statistical analysis is clearly the more precise method to measure cybersecurity risk over traditional methods that are more qualitative. But it is still a complex and arduous process.
Fortunately, software solutions can help your organization use statistical analysis to accurately calculate cybersecurity risk and report it to decision makers in the boardroom.
ZenGRC Helps You Measure & Assess Cyber Risk
Measuring risk is complicated enough as it is. Threat actors continually switch and evolve their tactics and technologies. You must do the same, or you might lose control of your systems, data, and brand. Throw statistical analysis in the mix, and the task of measuring and assessing cyber risk may seem even more overwhelming.
Good governance, risk management, and compliance software, however, can help you handle the many facets of managing cybersecurity risk.
ZenGRC from Reciprocity helps you pinpoint risk by probing your systems and finding cybersecurity compliance gaps. By generating metrics about your risk posture, ZenGRC can help you prioritize risks using statistical analysis.
The user-friendly dashboard also lets you see in a glance the status of each risk, what needs to be done to address it, and in what order.
ZenGRC generates an audit trail of your risk management activities, and stores all your documentation in a “single source of truth” repository for easy retrieval come audit time. It allows unlimited self-audits, so you always know where your organization’s risk management and compliance efforts stand.
With ZenGRC, cyber risk management all but takes care of itself — leaving you to more pressing concerns like boosting your business and your bottom line.
Worry-free GRC: that’s the Zen way. Sign up for a demo today to see if ZenGRC is right for you.