Do you know your organization’s precise risk of a cyber attack? Can such a thing be quantified? Difficult as it may seem, determining your organization’s cyber risk is the first step in protecting its digital assets in this new age of advanced and evolving threats.
The World Economic Forum (WEF), in collaboration with Deloitte Consulting LLP, has developed a cyber-resilience framework. Its bigger aim is to help CIOs and other top executives answer such questions as:
The effort grows out of a larger project launched two years ago by the World Economic Forum, a not-for-profit foundation based in Geneva, Switzerland, that focuses on both political and industry issues. Called the Cyber Resilience Initiative, the project started in 2013 with the goal of raising cyber-risk awareness and encouraging the implementation of rigorous digital defenses.
To develop its new framework, the forum worked with more than 100 organizations, ranging from Adobe Systems to Zurich Insurance. As a group, they created an approach known as cyber value-at-risk. Traditional cyber security approaches focus mainly on the types of attackers and the attack methods used. By comparison, WEF’s approach borrows a concept from financial services. It first rates both the probability of an attack — that is, its risk level — and the likely impact the attack would have on the organization’s assets. Based on statistical calculations, the framework then determines the optimum amount for the organization to spend on security protection.
What does a cyber value-at-risk framework look like in the real world? WEF says an assessment could result in statements such as: “Given a successful cyberattack, a company will lose not more than X amount of money over period of time – – with 95 percent accuracy.”
To perform this kind of risk assessment, WEF says security professionals should examine three main components of their threat profile:
Existing vulnerabilities include unpatched systems. The maturity level of defending systems includes the number of recent updates. And the number of successful breaches in the past gives hints of the future.
Tangible assets include funds and production equipment. Intangible assets include an organization’s reputation, business continuity and intellectual property.
There’s the type of attackers; for example, state-sponsored or freelance; their motivations and tactics, such as theft, mischief and spying; and the types of attacks, which can include denial of service, malware and credit-card theft.
CIOs and security professionals can also check out Masergy’s Cyber Security Risk Calculator, which helps organizations quantify a potential cyber loss based on current security capabilities and investments. This can help organizations align their spending with their IT-security strategy; correlate security investments to business risk and operational requirements; standardize security investment measurements; and demonstrate both the quantitative and qualitative aspects of their security investments.
Security pros can also use Masergy’s calculator to measure the impact of incremental security investments and calculate the return on such investments. The calculator can also be used for scenario planning to demonstrate how different variables would impact the company’s overall security posture.
“Ignorance may be bliss. But in the dangerous world of cyber crime, it’s knowledge that forms the first line of defense.”