Businesses are more at risk of cyber attacks than ever before. Calculating that risk, however, can be a challenging task. In this post we will provide an overview of traditional calculation methods and explore the future of measuring cybersecurity risk: statistical analysis.
The cost of a cyberattack can be painfully high, sometimes high enough to shut down business operations entirely. In 2022 the FBI’s Internet Crime Complaint Center (IC3) received 800,944 cybercrime complaints with total potential losses of more than $10.2 billion. According to the Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 will be $4.45 million, a 15 percent increase from 2020.
As cybersecurity threats continue to evolve, it’s essential to understand how to predict cybersecurity risk, so that you can create effective cybersecurity programs and safeguard your stakeholders.
What is a cybersecurity risk?
Cybersecurity, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), is “the art of protecting networks, devices, and data from unauthorized access or criminal use, and the practice of ensuring confidentiality, integrity, and availability of information.”
Cybersecurity risk, in turn, is the likelihood that your cybersecurity program will fail to protect those IT assets, and consequently disrupt your organization’s operations, finances, or data privacy.
This type of risk is often associated with events that could result in a data breach. The most common cybersecurity threats include system breaches, ransomware, phishing, distributed denial of service (DDoS), and malware.
Many organizations turn to external advisers to provide real-time risk metrics for their enterprises. Keeping your data safe, however, is expensive. Many smaller organizations can’t afford to hire an outside company to measure their risk.
Whether your organization hires someone to measure cybersecurity risk or your team of security professionals calculates it directly, most businesses use a rating system along some sort of “high-medium-low” scale.
The problem: using such qualitative methods can lead to forecasting inconsistencies, sometimes by margins of 20 percent or more. A more rigorous choice is to use statistical analysis to measure cybersecurity risk.
What are common types of cyber threats?
Cybersecurity threats can come in a wide variety of forms. The most common types of threats are below.
Malware is software installed by attackers to harm a computer, server, system, or network. Malware comes in many forms, each with its own goals and consequences on the victim’s devices.
- Ransomware. A type of malware that prevents users from accessing systems, networks, devices, or data until they pay a ransom. Even after paying the ransom, ransomware victims frequently discover that they cannot access their information systems, and further threats follow.
- Trojan horse. This is malicious code that appears to be a legitimate application, but actually gives attackers access and control of computers and mobile devices. Trojans are used in ransomware attacks, for example.
- Spyware. Malware that hides in hard drives and sends data to a remote place.
- Adware. A virus that spreads through bogus advertisements or newsletters subscription offers.
Social engineering uses social media and email to mislead users into releasing intellectual property or handing out sensitive data. Social engineering attempts can range from painfully obvious to incredibly sneaky.
Phishing attacks occur when an attacker sends email messages with forged links or attachments that, when clicked, install malware. Spear phishing is especially targeted and takes the form of an unauthorized user impersonating a coworker (say, from the IT department) and attempting to access passwords or accounts.
In addition, “smishing” attacks use text or SMS messages to do the same thing. “Vishing” or “voice phishing” (also known as “scam calls”) is an effort to get credit card details and other personal information over the phone.
Man-in-the-Middle (MITM) attacks
A man-in-the-middle attack occurs when a hacker gets access to a two-party transaction and observes the private communication. This infiltration is especially dangerous on public and unprotected wi-fi systems. The cyberattack might target either the host of the wi-fi or the device attempting to connect to the unprotected wi-fi.
Advanced Persistent Threats (APT)
Advanced persistent threat (APT) is a broad term for an attack where a hacker (or a group of them) maintains an illegal, long-term presence on a network to capture sensitive data.
These assaults, which are painstakingly planned and studied, usually target large businesses or governmental networks. They may well have support from state-run enterprises such as intelligence agencies.
Distributed Denial-of-Service (DDoS) attacks
A distributed denial-of-service assault attack attempts to overload and damage a system by flooding it with data, rendering it inoperable. It is the online equivalent of calling a telephone number nonstop so that other callers can never get through.
Why is measuring cybersecurity risk important?
Measuring cybersecurity risk is important because without that step, CISOs can never be sure that they’ve implemented the proper number of protections. They might leave assets under-protected, and then if a breach happens the company is exposed to regulatory enforcement or litigation because it should have done more. Or they might over-protect assets, wasting money on protections the company doesn’t need.
There is also a commercial motive here: customers will want to know that your company has taken proper steps to protect its IT assets. If you don’t know what your risks are, you can’t offer the correct assurance to would-be customers.
How do you measure cybersecurity risk?
To measure cybersecurity risk, one must first understand the difference between a vulnerability and a cyber risk. A vulnerability is a weakness that can result in unauthorized network access when exploited. Cyber risk, in contrast, is the probability of a vulnerability being exploited.
To calculate cyber risk, many use this equation:
Cyber Risk = Threat x Vulnerability x Information Value
Usually the measurement of cybersecurity risk begins with a vulnerability assessment. A vulnerability assessment is a systematic review of the security weaknesses in an information system. It evaluates whether or not your system is susceptible to known vulnerabilities, assigns a severity level to them, and recommends remediation or mitigation.
The three factors that influence a risk vulnerability assessment are:
- What is the threat?
- How vulnerable is the system?
- What is the reputational or financial damage if the system is breached or unavailable?
After you conduct a vulnerability assessment to identify and prioritize your vulnerabilities, you can perform a cyber risk assessment to determine the information value and threat components in the equation above.
A cyber risk assessment analyzes your cybersecurity risks so that you can inform stakeholders and decision-makers and support proper risk response. Cyber risk assessments also provide an executive summary to help stakeholders make informed security decisions.
Once the tester has identified a potential risk and wants to figure out how serious it is, the first step is to estimate the likelihood. This is a rough measure of an attacker’s ability to exploit a particular vulnerability. It is not necessary to be overly precise in this estimate. Identifying whether the likelihood is low, medium, or high is sufficient.
Here are the steps to complete a thorough cyber risk assessment using the high-medium-low method to measure cybersecurity risk:
Determine information value
First, define a standard for determining the importance of an asset. If you don’t have an unlimited budget for information risk management, you should limit your scope to the most business-critical assets. Once the standard is incorporated into the organization’s information risk management policy, you should use it to classify each asset as critical, major, or minor.
Identify and prioritize assets
Next, identify assets and determine the scope of the assessment. This will allow you to prioritize which assets should be assessed. For example, you don’t need to evaluate every building, employee, trade secret, vehicle, or office equipment.
Identify cyber threats
A cyber threat is a vulnerability that could be exploited to harm the organization or steal data. Hackers, malware, and other IT. security risks are apparent threats, including natural disasters, system failure, human error, and adversarial threats like third-party vendors.
Threats that affect every organization include unauthorized access, misuse of information by authorized users, data leaks, loss of data, and service disruption. After identifying the organization’s threats, you must also assess their impact.
Now that you’ve identified what might happen theoretically, you need to address what could happen in reality: What are the vulnerabilities? A vulnerability is a weakness that a threat can exploit to breach security, harm the organization, or steal sensitive data.
Tools and methods to identify vulnerabilities include vulnerability analysis, audit reports, the NIST cybersecurity vulnerability database, vendor data, incident response teams, and software security analysis. Examine both software-based and physical vulnerabilities during this step.
Analyze and implement new controls
Determine what controls are already in place to minimize or eliminate the probability of a threat or vulnerability. Classify controls as preventive or detective. Preventive controls attempt to stop attacks before they start, while detective controls work to discover an attack after it has occurred.
Calculate the likelihood and impact of various scenarios annually
Now you have the information value, threats, vulnerabilities, and controls. Next, identify how likely these cyber risks will happen and the harm that may occur if they do. Then you can use your findings to decide how much to allocate for mitigating each identified cyber risk.
Prioritize risks based on the cost of prevention vs. information value
When deciding how to respond to a risk, use a scale something like the following:
- High risk: corrective measures should be developed as soon as possible
- Medium risk: corrective actions can be created within a reasonable period
- Low risk: decide whether to accept the risk or mitigate it
At this point, you have already determined the asset’s value and how much you should spend to protect it. Now you need to decide whether it makes sense to use a preventive control to protect that asset, especially if the preventative step costs more than the asset is worth. Remember to evaluate both the reputational and financial impact during this step.
Document results in a risk assessment reports
Finally, develop a risk assessment report to support budget, policies, procedures, and management decision-making. Describe each threat’s risk, potential impact, likelihood of occurrence, and control recommendations.
Although widely used, this high-medium-low qualitative method to calculate cybersecurity risk is still complex. For example, you must assign value to information as critical, major, or minor; calculate the likelihood and harm of various scenarios; and prioritize risks based on the cost of prevention versus information value.
How to use statistical analysis for cybersecurity risk management
Statistical analysis is the study of large amounts of data to discover underlying patterns and trends. Although using statistical analysis to measure cyber risk may seem obvious, it’s not the traditional method.
Richard Seiersen, a one-time general manager of cybersecurity and privacy at GE Healthcare and CISO at Twillo, advocates for simplifying cybersecurity risk measurement. In his recent book, “How to Measure Anything in Cybersecurity,” Seiersen and co-author Douglas Hubbard discuss using probabilistic programming and statistical analysis to measure cyber risk.
Using statistical analysis to measure other types of risk is nothing new; Seiersen notes that “risks have been measured in far more complex situations — flooding, droughts, military logistics, etc.” But when using statistical analysis to measure cybersecurity risk, the challenge seems to be how.
The first step is to convince skeptical security professionals that statistical analysis is viable for measuring cyber risk. Sieiersen’s research shows that statistical literacy plays a large part in any objections; security professionals who don’t understand how to interpret statistics are most likely to doubt the untapped potential of statistical analysis.
Assigning probability — that is, determining the likelihood that certain risks will be exploited — sounds more complicated than it is.
For example, access to sensitive information makes a systems administrator more susceptible to a hack than someone who works as an intern. Of course your organization shouldn’t discount the possibility that other accounts might be hacked, but statistical analysis shows that the most significant risk lies in the system administrator’s account.
Using a mathematical technique like statistical analysis, you could measure the risk in this scenario: “The probability that the system administrator’s account will be hacked is X percent.”
In their book, Seiersen and Hubbard provide several statistical theories, such as Bayesian statistics, that could be used instead of qualitative risk matrices.
Bayesian statistics is a theory where the probability of an event is calculated based on prior knowledge about the event, such as the results of previous experiments or personal beliefs about the event. Other methods the authors suggest are Monte Carlo simulations, simple “one-for-one substitutions,” loss exceedance curves, and the Rasch (Logodds) Model.
No matter which methods you use, Seiersen and Hubbard maintain that using statistical analysis to measure cybersecurity risk will provide more accurate predictions for the business.
Ultimately, the authors argue that organizations should stop using risk scores and risk matrices altogether, and that standards organizations should stop promoting them. Instead, they suggest using simple probabilistic methods because they demonstrate a measurable improvement over unaided intuition and have already proven effective.
The authors also believe that decisions would be easier to support if risks and mitigation strategies are quantified more meaningfully using statistical analysis.
For those who believe cybersecurity is too complex or lacks sufficient data for quantitative analysis, Hubbard and Seiersen remind us that “softer methods never alleviate a lack of data, complexity, rapidly changing environments or unpredictable human actors… they can only obscure it.”
Using statistical analysis is a more precise method to measure cybersecurity risk over traditional methods that are more qualitative. But it is still a complex and arduous process. Fortunately, software solutions can help your organization use statistical analysis to accurately calculate cybersecurity risk and report it to decision-makers in the boardroom.
Manage cybersecurity risk effortlessly with ZenGRC
Measuring risk is complicated enough as it is. Threat actors constantly switch and evolve their tactics and technologies. You must do the same, or you might lose control of your systems, data, and brand. Throw statistical analysis into the mix, and measuring and assessing cyber risk may seem overwhelming.
Robust governance, risk management, and compliance software, however, is an essential component of your risk management strategy and can help you handle the many facets of managing cybersecurity risk.
The RiskOptics ZenGRC Platform pinpoints risk by evaluating systems and finding cybersecurity compliance gaps. In addition, ZenGRC can help you prioritize risks using statistical analysis by generating metrics about your risk posture. The user-friendly dashboard also lets you see the status of each risk, what needs to be done to address it, and in what order.
ZenGRC generates an audit trail of risk management activities and stores all documentation in a “single source of truth” repository for easy retrieval come audit time. In addition, it allows unlimited self-audits, so you always know where your organization’s risk management and compliance efforts stand.
With the ZenGRC Platform, cyber risk management takes care of itself; leaving you to more pressing concerns like boosting your business and your bottom line.