Blog Post
September 30, 2021
Cyber Risk Quantification (CRQ) enables enterprises to assess and manage their cyber risk by putting cyber risk in clear business terms. In other words, organizations can understand how cyber risk specifically affects potential revenue, profit, and other measures of financial success.
Yet as important as cyber risk quantification is, enterprises often do not have a clear-cut data regarding the cyber risks they face. In many cases, the risks themselves are unclear, with organizations lacking the data needed to understand the frequency of the different types of attacks that exist, the severity of these attacks, and how these attacks leverage vulnerable technologies and third-party service providers which are specific to an organization’s own digital footprint.
In this guide to cyber risk quantification, we’ll look more closely at:
When looking at cyber risk quantification, it’s important to acknowledge that this term isn’t just about assigning a general value to the cyber risk for a single enterprise or an insurance carrier’s insured portfolio. Instead, cyber risk quantification is about analyzing data that enables organizations to get specific on how cyber risk affects them.
Yet before an organization gets too far into the cyber risk quantification process, it’s important to first be able to define a cyber event and understand what happens when these events occur. Otherwise, it’s impractical to assign a dollar value to cyber risk when it’s unclear how different types of events might affect a business.
In short, a cyber event is any occurrence where data is compromised based on the framework of confidentiality, availability and integrity — the so-called CIA triad. There could also be the fourth element of ransom, or potential for ransom. Thus, data doesn’t necessarily need to be stolen, as a cyber event could involve the availability of data, causing business interruption, such as when a cyber attack prevents a company from accessing its data.
To more specifically understand the types of cyber events a company may face, and to therefore facilitate cyber risk quantification, organizations need to be able to pull together data in the following three areas, which can be considered the golden triangle of cyber risk quantification:
Organizations need to understand their security posture to see how the frequency and severity of attacks may apply to that enterprise. In other words, organizations need to map their digital footprints from both the outside and inside, such as identifying which security controls they have in place and test their efficacy to understand where their vulnerabilities lie.
Organizations need data on the frequency of cyber attacks, by analyzing past and ongoing cyber events globally, updated in as close to real-time as possible. What may seem like an infrequent type of event one day can quickly turn into a more frequent threat - organizations need data that enables them to keep up with how cyber risks evolve.
Organizations also need to understand the potential financial loss due to different cyber risks. Severity can be quantified based on:
a. The intensity of an event, for example, how much data was affected or how much ransom was requested.
b. The severity of the loss, for example, the cost of data recovery, losses accrued due to business interruption, forensics, etc.
A cyber event can involve either one or both of the following:
A cyber event may affect on-premise technology, such as when a ransomware attack prevents a company from accessing files stored on a specific computer.
When companies use third-party providers, such as email service or cloud data storage, that could also create cyber risks. A cyber event affecting these service providers can cause business losses for not just the provider but their customers as well. However, these attacks tend to have a more defined timeframe, like natural catastrophes, which can make cyber risk quantification easier.
Having the ability to differentiate between types of losses is important to understanding the types of events that could impact an organization and can be done using a multi-model approach. These different types of cyber events can then cause different types of losses, which can be broken down as follows:
These losses are from events that tend to have a high frequency of occurrence but low severity in terms of financial damage.
These losses might only affect one specific company due to a targeted attack and will lead to a substantial loss. These losses tend to have a low frequency of occurrence but high severity in terms of financial damage.
These losses are from systemic events that tend to have a low frequency of occurrence but high, widespread severity in terms of financial damage.
As companies begin to understand the types of cyber events that may pose a risk to them and the losses that these events are typically associated with, they can then start their cyber risk quantification.
To specifically come up with a dollar value for cyber risk quantification, enterprises need to source and analyze the data from each side of the golden triangle of cyber risk quantification.
From there, companies need to bring all this information together to understand the types of cyber events they might face and how that may translate into monetary impact. This includes mapping the cost components of different events to understand the different types of financial impacts that may occur.
For example, a cyber event that causes business interruption can have expenses in areas such as public relations to minimize the reputational damage that can occur, as well as lost revenue from not being able
to operate the business as usual during this period of interruption.Understanding these different cost drivers is necessary to gain a full understanding of a company’s exposure, as well as to then determine a cost allocation per event by modeling the impact that a specific type of event is likely to have on an organization.
Putting a specific exposure number on cyber risk requires modeling the impact of different cyber events. A company may know the types of events they could face, the severity of past personal events, the vulnerability of specific devices inside the organization, etc., but there still needs to be away to pull everything together into a cohesive quantification, taking into consideration global attack frequency and severity of attacks.
Enterprises need a risk model that quantifies financial value by:
Enterprises need to be able to model the potential magnitude of events and the likelihood they would suffer from them. To reflect this, we produce a probabilistic model using exceedance of probability curves to summarize the outcome of a monte-carlo simulation. The two types of exceedance curves include:
Looking at the cyber event with the highest amount of damage in a given year allows for the assessment of the probability that one cyber event would have a maximum financial loss above a given amount.
Summing the damages from cyber events over the course of a given year allows for the assessment of the probability that the aggregated financial loss from cyber events in a particular year exceeds a given amount.
Understanding what goes into cyber risk quantification and how the data comes together to put cyber risk in financial terms is a big step toward managing cyber risk more effectively. Still, knowing this background is only part of the equation. Enterprises still need to decide how to leverage cyber risk quantification.
Some of the considerations include:
Ideally, cyber risk quantification should be conducted on a quarterly basis at minimum. If cyber risk quantification is only calculated once a year, there is a possibility that new technologies and service providers will be unaccounted for in the calculation. Therefore, it’s important to have systemized processes, including having a reliable way to collect and analyze the data for the golden triangle of cyber risk quantification.
Organizations essentially have three options to turn to in terms of who will do the calculating for cyber risk quantification:
Consultants, accountants and other professional services firms may be able to provide a general calculation for cyber risk quantification but may lack sufficient cyber expertise, particularly as it pertains to data collection and modeling, so it’s important to vet these firms accordingly. The timing can also be quite lengthy compared to other options.
Companies may be able to rely on their own data and the subjective experiences of the company and
individuals within given teams to quantify cyber risk. Yet this can be an imprecise method
Similar to professional services firms, but with a focus on cyber risk, third-party experts could be used to quantify cyber risk. Third-party experts, including Kovrr, have their own solutions, data sources and models, along with their internal knowledge of cyber risk quantification, to produce timely and accurate results.
To leverage cyber risk quantification, organizations need to understand the benefits of these calculations. From there, they can then choose how to apply these insights to improve their businesses overall. Some of the benefits of cyber risk quantification include:
While leveraging cyber risk quantification may seem a bit complicated for those unfamiliar with this area, it’s very important for organizations to understand their risk and potential financial losses that can occur from cyber events.
Many organizations don’t have any idea of how much risk they actually face and what that means in terms of monetary amounts that could be at stake. By using cyber risk quantification processes and tools that pull together data, both enterprises and insurance carriers can gain clear insights into their exposure and be more prepared for the financial impact of cyber events.
Ready to stop guessing and start getting real, actionable business insights when it comes to cyber risk? Get in touch with Kovrr to learn how to simplify and benefit from cyber risk quantification.
Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.
