Business organizations are more at risk of cyberattacks than ever before. Calculating that risk, however, is no easy task. In this post we will provide an overview of traditional calculation methods and a glimpse into what could be the future of measuring cybersecurity risk: statistical analysis.
The cost of a cyberattack can be painfully high and sometimes high enough to shut down business operations entirely. Research from 2020 suggests that $2.9 million is lost to cybercrime every minute, and the average cost of a data breach in 2021 was $4.24 million.
As cybersecurity threats continue to evolve, it is essential to understand how to predict cybersecurity risk adequately to create effective cybersecurity programs and safeguard your stakeholders.
What Is a Cybersecurity Risk?
Cybersecurity, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), is “the art of protecting networks, devices, and data from unauthorized access or criminal use, and the practice of ensuring confidentiality, integrity, and availability of information.”
These days, many service providers use cybersecurity frameworks, such as the National Institute of Standards and Technology (NIST) framework, to comply with regulatory requirements such as the General Data Protection Regulation (GDPR).
Cybersecurity risk is the likelihood that your organization will suffer from data, financial, or operational disruptions. This type of risk is most often associated with events that could ultimately result in a data breach. Breaches, ransomware, phishing, distributed denial of service (DDoS), and malware are the most common cybersecurity threats.
Many organizations turn to external advisers who can provide real-time risk metrics for their enterprises. A recent analysis of the “cybersecurity risk metrics” market shows that the rise of adversaries, boardroom pressures, and financial losses has led to an emerging force of underwriters, brokers, and consultants to help chief information security officers (CISOs) answer to concerns coming from the c-suite and the boardroom.
Keeping your data safe, however, is expensive. Many smaller organizations can’t afford to hire an outside company to measure risk for them.
Whether your organization hires someone to do that work for you, or uses your team of security professionals to measure cyber risk, your risk will likely be calculated using traditional “high-medium-low” categories.
Some security experts argue that using these qualitative methods leads to forecasting inconsistencies by as much as 20 percent. They suggest instead using statistical analysis to measure cybersecurity risk.
Regardless of the method you choose, you still need to measure risk somehow.
What Are Common Types of Cyber Threats?
Despite cybersecurity professionals’ attempts to close security breaches, cybercriminals are always looking for new ways to escape detection, bypass security measures, and exploit emerging vulnerabilities and information security weaknesses.
The most recent cybersecurity threats use work-from-home settings, remote management technologies, and new cloud services to reinvent well-known vulnerabilities. Cybersecurity programs work to protect against all forms of corporate cybersecurity risks.
Malware is software installed by cybercriminals to harm a computer, server, system, or network. Malware comes in many forms, each with its own set of goals and consequences on the victim’s devices.
- Ransomware. A type of malware that prevents users from accessing systems, networks, devices, or data until they pay a ransom. Even after paying the ransom, ransomware victims frequently discover that they still cannot access their information systems and further threats follow.
- Trojan horse. Malicious code that appears to be a legitimate application gives cybercriminals access and control of computers and mobile devices. Trojans, for example, are used in ransomware attacks.
- Spyware. Malware hides in hard drives and sends data to a remote place.
- Adware. A virus that spreads through bogus advertisements or newsletters subscription offers.
Social engineering is a technique using social media and email to mislead users into violating basic security standards, releasing intellectual property, and handing out sensitive data. Social engineering attempts can range from painfully obvious to incredibly sneaky.
Phishing attacks occur when a cybercriminal sends email messages with forged links or attachments that, when clicked on, install malware. Spear phishing is especially targeted and takes the form of an unauthorized user impersonating a coworker (say, from the IT department) and attempting to access passwords or accounts.
In addition, “smishing” attacks use text or SMS messages to do the same thing. “Vishing” or “voice phishing” (also known as “scam calls”) is an effort to get credit card details and other personal information over the phone.
Man-in-the-Middle (MITM) Attacks
A man-in-the-middle attack occurs when a hacker acquires access to a two-party transaction that is assumed to be safe, and then observes the private communication. This infiltration is especially dangerous to public and unprotected wi-fi systems. The cyberattack might target either the host of the wi-fi or the device attempting to connect to the unprotected wi-fi.
Advanced Persistent Threats (APT)
An advanced persistent threat (APT) is a broad term for an attack operation in which a hacker (or a group of them) maintains an illegal, long-term presence on a network to capture sensitive data.
These assaults, which are painstakingly planned and studied, usually target large businesses or governmental networks. They may well have support from state-run enterprises such as intelligence agencies.
Distributed Denial-of-Service (DDoS) Attacks
A distributed-denial-of-service assault attempts to overload and damage a system by flooding it with data, rendering it inoperable.
Why Is Measuring Cybersecurity Risk Important?
With the cost and frequency of cyber assaults on the rise, security executives must be able to demonstrate that the efforts they’re making to lower cybersecurity risk throughout their digital ecosystems are paying off. To do so, they must be able to analyze and explain risk in business-friendly terms.
Moreover, as managers are increasingly challenged to offer confidence that corporate assets are appropriately protected from the consequences of a future breach, assessing information security effectiveness has become a key performance indicator (KPI) for organizations.
How Do You Measure Cybersecurity Risk?
The terms “vulnerability” and “cyber risk” are used interchangeably, but they are not the same. A vulnerability is a weakness that results in unauthorized network access when exploited. Cyber risk, in contrast, is the probability of a vulnerability being exploited.
To calculate cyber risk, many use this simple framework:
Cyber Risk = Threat x Vulnerability x Information Value
Usually, measurement of cybersecurity risk begins with a vulnerability assessment.
A vulnerability assessment is a systematic review of the security weaknesses in an information system. It evaluates whether or not your system is susceptible to any known vulnerabilities, assigns a severity level to them, and recommends remediation or mitigation.
The three factors that influence a risk vulnerability assessment are:
- What is the threat?
- How vulnerable is the system?
- What is the reputational or financial damage if the system is breached or unavailable?
After you conduct a vulnerability assessment to identify and prioritize your vulnerabilities, you can perform a cyber risk assessment to measure the information value and threat components in the equation above.
The NIST defines risk assessments as processes “used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the nation, resulting from the operation and use of information systems.”
A cyber risk assessment analyzes your cybersecurity risks to help inform stakeholders and decision-makers and support proper risk response. Cyber risk assessments also provide an executive summary to help stakeholders make informed security decisions.
Once the tester has identified a potential risk and wants to figure out how serious it is, the first step is to estimate the likelihood. This is a rough measure of how likely an attacker could exploit a particular vulnerability. It is not necessary to be overly precise in this estimate. Identifying whether the likelihood is low, medium or high is sufficient.
Here are the steps that you would take to complete a thorough cyber risk assessment using the high-medium-low method to measure cybersecurity risk:
Determine Information Value
First, define a standard for determining the importance of an asset. If you don’t have an unlimited budget for information risk management, you should limit your scope to the most business-critical assets. Once the standard is incorporated into your organization’s information risk management policy, you should use it to classify each asset as critical, major, or minor.
Identify and Prioritize Assets
Next, identify your assets and determine the scope of the assessment. This will allow you to prioritize which assets you should assess. For example, you don’t need to evaluate every building, employee, trade secret, vehicle, or piece of office equipment.
Identify Cyber Threats
A cyber threat is a vulnerability that could be exploited, harming your organization or stealing data. Hackers, malware, and other IT security risks are apparent threats, including natural disasters, system failure, human error, and adversarial threats such as third-party vendors.
Threats that affect every organization include unauthorized access, misuse of information by authorized users, data leaks, loss of data, and service disruption. After identifying your organization’s threats, you also need to assess their impact.
Now that you’ve identified what might happen at a theoretical level, you need to address what actually could happen in reality: What are your vulnerabilities? A vulnerability is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive data.
Tools and methods to identify vulnerabilities include vulnerability analysis, audit reports, the NIST cybersecurity vulnerability database, vendor data, incident response teams, and software security analysis. Examine both software-based and physical vulnerabilities during this step.
Analyze and Implement New Controls
Determine which controls are already in place to minimize or eliminate the probability of a threat or vulnerability. Classify controls as preventive or detective. Preventive controls attempt to stop attacks before they start, while detective controls work to discover an attack after it has occurred.
Calculate the Likelihood and Impact of Various Scenarios Annually
Now you have the information value, threats, vulnerabilities, and controls. Next, identify how likely it is that these cyber risks will happen and the harm that may occur if they do. Then you can use your findings to determine how much to allocate for mitigating each identified cyber risk.
Prioritize Risks Based on the Cost of Prevention Versus Information Value
Determine action for senior management or other stakeholders to mitigate risk, using risk level as a basis.
- High risk: corrective measures should be developed as soon as possible;
- Medium risk: corrective actions can be created within a reasonable period;
- Low risk: decide whether to accept the risk or mitigate it.
At this point, you have already determined the asset’s value and how much you should spend to protect it. Now you need to decide whether it makes sense to use a preventive control to protect that asset, especially if that preventative step costs more than the asset is worth. Remember to evaluate both the reputational and financial impact during this step.
Document Results from Risk Assessment Reports
Finally, develop a risk assessment report to support budget, policies, and procedures management decision-making. Describe each threat’s risk, vulnerabilities, asset value, potential impact, and likelihood of occurrence, along with control recommendations.
Although widely used, this high-medium-low qualitative method to calculate cybersecurity risk is still complex. For example, you must assign value to information as critical, major, or minor; calculate the likelihood and harm of various scenarios; and prioritize risks based on the cost of prevention versus information value.
Deciding which risks are the most critical and which risks can be put aside and dealt with later comes down to judgment calls that determine the probability that an attack will occur and the consequences that come with it.
How to Use Statistical Analysis for Cybersecurity Risk Management
Statistical analysis is the science of collecting, exploring, and presenting large amounts of data to discover underlying patterns and trends. Although using statistical analysis to measure cyber risk may seem obvious, it’s not the traditional method of choice.
Richard Seiersen, a one-time general manager of cybersecurity and privacy at GE Healthcare and CISO at Twillo, is an advocate for simplifying cybersecurity risk measurement. In his recent book, “How to Measure Anything in Cybersecurity,” Seiersen and co-author Douglas Hubbard discuss using probabilistic programming and statistical analysis to measure cyber risk.
Using statistical analysis to measure other types of risk is nothing new; Seiersen notes that “risks have been measured in far more complex situations – flooding, droughts, military logistics, etc.” But when using statistical analysis to measure cybersecurity risk, the challenge seems to be how.
The first step is to convince skeptical security professionals that statistical analysis is viable for measuring cyber risk. Sieiersen’s research shows that statistical literacy plays a large part in any objections: Security professionals who don’t understand how to interpret statistics are most likely to doubt the untapped potential of statistical analysis.
Assigning probability – that is, determining the likelihood that certain risks will be exploited – sounds more complicated than it is.
For example, access to sensitive information makes a systems administrator more susceptible to a hack than someone who works as an intern. Of course, your organization shouldn’t discount the possibility that other accounts might be hacked; but statistical analysis shows that the most significant risk lies in the system administrator’s account.
Using a mathematical technique like statistical analysis, you could measure the risk in this scenario: “the probability that the system administrator’s account will be hacked is X percent.”
In their book, Seiersen and Hubbard provide several statistical theories, such as Bayesian statistics, that could be used instead of qualitative risk matrices.
Bayesian statistics is a theory where probability expresses a degree of belief in an event based on prior knowledge about the event, such as the results of previous experiments or personal beliefs about the event. Other methods the authors suggest are Monte Carlo simulations, simple “one-for-one substitutions,” loss exceedance curves, and the Rasch (Logodds) Model.
No matter which methods you use, Seiersen and Hubbard maintain that using statistical analysis to measure cybersecurity risk will provide more accurate predictions for your business.
Ultimately, the authors argue that organizations should stop using risk scores and risk matrices altogether and that standards organizations should stop promoting them. Instead, they suggest using simple probabilistic methods because those methods demonstrate a measurable improvement over unaided intuition and have already proven effective.
They also believe that decisions would be easier to support if risks and mitigation strategies are quantified more meaningfully using statistical analysis.
For those who believe that cybersecurity is too complex or lacks sufficient data for quantitative analysis, Hubbard and Seiersen remind us that “softer methods never alleviate a lack of data, complexity, rapidly changing environments or unpredictable human actors… they can only obscure it.”
Using statistical analysis is a more precise method to measure cybersecurity risk over traditional methods that are more qualitative. But it is still a complex and arduous process. Fortunately, software solutions can help your organization use statistical analysis to accurately calculate cybersecurity risk and report it to decision-makers in the boardroom.
Manage Cybersecurity Risk Effortlessly with Reciprocity ZenRisk
Measuring risk is complicated enough as it is. Threat actors constantly switch and evolve their tactics and technologies. You must do the same, or you might lose control of your systems, data, and brand. Throw statistical analysis in the mix, and the task of measuring and assessing cyber risk may seem overwhelming.
Robust governance, risk management, and compliance software, however, is an essential component of your risk management strategy and can help you handle the many facets of managing cybersecurity risk.
Reciprocity ZenRisk pinpoints risk by probing your systems and finding cybersecurity compliance gaps. In addition, ZenRisk can help you prioritize risks using statistical analysis by generating metrics about your risk posture. The user-friendly dashboard also lets you see the status of each risk, what needs to be done to address it, and in what order.
ZenRisk generates an audit trail of your risk management activities and stores all your documentation in a “single source of truth” repository for easy retrieval come audit time. In addition, it allows unlimited self-audits, so you always know where your organization’s risk management and compliance efforts stand.
With ZenRisk, cyber risk management all but takes care of itself – leaving you to more pressing concerns like boosting your business and your bottom line.