The value of cyber risk quantification
Strengthening your grip on the risks that threaten your organization
Cyber intrusions can lead to losses and can even cause a full-blown company crisis. Since no organization is able to completely prevent cyber attacks, they should be prepared on multiple fronts. Using cyber risk quantification, companies may obtain the insight required to balance these fronts.
Maarten van Wieren & Jelle Niemantsverdriet - 1 December 2015
Which cyber risks are relevant to your organization, and how well protected are your information assets? Should you invest more in cyber security, and if so, how much? How do you determine what those extra investments should achieve? How much money is at risk, and how much can be saved by taking certain measures?
To answer these questions and ensure your organization is robust enough to withstand cyber attacks, we propose three logical steps.
Step 1. Performing risk assessment(s)
The very first step is to perform a risk assessment that will result in answers to the following questions:
- What are the key value and risk drivers of your firm?
- How are these linked to data in ICT systems of yourself and your suppliers?
- What threat actors are likely attracted to these data?
- How effective are your controls in limiting the impact from these threat actors?
Taking note of the most important factors allows you to make an initial quantitative estimate of the risks you’re dealing with. This relatively quick and easy exercise will already benefit you tremendously: you will be able to quantify the overall risk levels (and identify their order of magnitude) and, through that, to identify high-level strengths and weaknesses, as well as the most important options for improvement. Most important of all, you will get confronted with a key question: what level of risk do you consider acceptable?
A quantitative method for risk assessment, such as Deloitte has started developing together with the World Economic Forum, can help you assess these options. The Deloitte method allows for an initial estimation of the risk, and identifies what additional information is needed to improve the accuracy of this estimate. In this way, increasingly accurate estimates will get tied into the operational aspects, enabling a better management of cyber risk, among other things. This top-down approach allows for step-by-step improvements that can work in synchrony with your organization.
Step 2. Reinforcing the weakest links
To a great extent, crisis management happens before a crisis takes place. Once a crisis occurs, the goal of crisis management is to respond effectively, and to help you recover as quickly as possible. But in order to achieve that, you need to prepare. Please read more on what to do when you're facing a data breach crisis.
Too often, organizations fail to prepare for unexpected crises, because the risk of a disaster is deemed comparatively small. But these organizations sell themselves short. The damage of a serious incident easily outweighs the costs of adequate crisis management. In fact, a crisis can cost a hundred times more than a proper preparation. The trick is not to spend all your money on prevention, but to make sure you can respond to any crisis that does happen in spite of any preventative measures
Step 3. Optimizing your operations
Protecting your organization has some similarities with protecting your home from burglars. Every home owner will make sure that doors and windows can be securely locked, but we also know that no home is safe from a determined, professional burglar. If we acknowledge that fact, the ability to quickly detect and neutralize any intrusion becomes key.
For organizations, this means that it’s not helpful to keep adding locks and bolts to your IT systems. It’s much more efficient to have a basic level of protection in place, and spend the rest of your budget on an enhanced capability to detect and respond. It’s even possible to maximize protective measures for the essential parts of your data only, essentially putting them away in a safe, while keeping the rest of your infrastructure relatively accessible.
Effective detection and response tackles the one advantage that an attacker always has: just one open door is enough to get in. This stresses the importance of identifying the weakest links, because that’s where detection and response are most needed. While additional internal defenses should be employed for the most valuable information assets.
Your company’s data are a valuable asset, and should be used to enrich your customers’ experience. This is compatible with a high level of data protection. The CIO can work together with the Board to ensure Privacy by Design is integrated in the strategy of the organization. This topic, as well as quantification of cyber risk, will be discussed by Jelle Niemantsverdriet during the FBA event ‘Board’s-Eye View on Cyber Crisis Management’.
One key question emerges time and again: how should you balance all the distinctly complex interactions between the various components of your cyber resilience and maintain Privacy for your customers and employees? Through cyber risk quantification, all components get linked into a single perspective that identifies the best way forward.
More information on Quantification of Cyber Risk?
Do you want to know more on Quantification of Cyber Risk? Please also read: 'Cyber crime costs Dutch organisations 10 billion euros each year'. Or contact Vincent Lukkien at +31882886674.