Harnessing the power of quantitative risk assessment

Issue 7 2023 Information Security, Risk Management & Resilience

Steve Jump.

In an era where digital threats loom larger than ever, businesses need to pivot from merely defending against cyberattacks to building an infrastructure that can absorb and adapt to them. The new paradigm? Cyber resilience.

A strategy that marries traditional cybersecurity approaches with a forward-thinking model of risk mitigation and security by design factors in every facet of a business’s operations. Supporting this paradigm shift lies a powerful tool: quantitative risk analysis.

As a staunch advocate for risk management, I support that cyber risk is a fundamental and existential business risk, which cannot be adequately addressed if it is only seen as a sub-risk under IT. This viewpoint cannot be stressed enough, especially given the implications of cyber threats to businesses today.

In any discussion about cyber resilience, our first point must be cyber risk itself. We know it never makes economic sense to aim for 100% risk prevention; the level at which we aim is our risk appetite. This needs to be determined clearly by the business as the level of risk that is acceptable with respect to value during business continuity and recovery.

Business value

Our next point is business value, where we need a recognised comparative framework to compare our treated vs. untreated risk exposure – we follow convention here and use dollars to represent a real monetary value. This is where we begin to realise that some of our traditional metrics for cybersecurity are not so easily transferable into the digital, cyber threat-affected, information-driven eco-system that business has become.

As with all risk assessment processes, to manage both expectation and investment, we need to understand the cost of doing something versus the cost of doing nothing, and to map that to business benefit. If that sounds familiar, it is, because this is essentially what a traditional business case does. The only change today is that the asset register that determines our value at risk is now dramatically shifted away from tangible capital assets that depreciate over time, towards the virtual value of digital assets that depend on their presence and use. This latter value often exceeds traditional capital value by several orders of magnitude.

Navigating the complex world of quantitative risk assessment at first appears to be a daunting endeavour. The apparent complexity of quantitative risk can, at first, leave many feeling overwhelmed. Much of the information around quantitative cyber risk assessment has focused on this perceived complexity rather than the accessible simplifications that enable digital asset value to be considered as a business risk.

Dimension of quantities

In any quantitative methodology, we must first determine the dimension of quantities, in this case, monetary value. This starts with a re-imagining of our business asset register to include the value of our digital assets. These are no longer intangible or virtual assets. Consider: If your asset register does not reflect the value of a database that would cost $5 million to re-capture, calculating the cost of systems to protect that data against loss from a cyberattack is almost impossible. In addition, the costs of the data itself within the database could be worth billions.

Simply evaluating your digital assets and processes in financial terms allows you to start making value comparisons of threats and risks that are otherwise hidden, often threats that you only realised after an incident that damaged your business. Cyber risk quantification represents the next frontier in business assurance.

Platforms like ValuRisQ by RiskQ empower executive teams to interpret cyber threats in monetary terms, bridging the understanding gap from the CISO to the boardroom (SLVA Cybersecurity is the authorised reseller for RiskQ in South Africa). The term ‘cyber risk assessment’ over the years has essentially been an evaluation of controls. While offering insights on cybersecurity control effectiveness for CISOs, senior executives and board members were often unable to see the financial ramifications for which they were accountable.

Embedding business context

In contrast to many other solutions, ValuRisQ elevates trust by embedding crucial business context into cyber risk assessments and automating data collection. This allows businesses to prioritise risk mitigation over data acquisition. Cybersecurity incidents are a matter of ‘when’ rather than ‘if’; hence, quantifying cyber risk becomes a means to manage potential business repercussions. ValuRisQ stands out by automating the analytical process and providing decision-makers with the tools they need to see the effectiveness of security measures in the context of their own business.

The strength of these models is due to their statistical basis, and today they play a crucial role in managing the vulnerabilities that permeate our modern digital landscape. For anyone new to such quantitative modelling concepts, rest assured that their principles are not new in any sense, indeed, the fundamental mathematics available to use are based on the same estimating and statistics that insurance companies used to calculate actuarial tables in the 1800s. These models speak strongly to investment in resilience.

When considering digital and cyber risk, we need to consider why strategies that were effective a decade ago are unsuitable today. IT security, once complex and expensive, was often conveniently tucked away within an equally complex IT budget. Despite an arsenal of technical frameworks like NIST or ISO 27000, and a host of regulatory and legal requirements, businesses, even though audited as compliant, still find themselves embroiled in a never-ending race to acquire the latest cybersecurity product to protect infrastructure that contains data, without truly understanding the real value and risk to that data itself.

The value of having a quantitative risk solution in place lies in providing objective analysis and reporting, so that executives can empower their security leaders to reduce risk with a greater level of confidence. Proper financial cyber risk quantification lays the foundation for strategies against ransomware, streamlining cyber insurance, adjusting controls for tangible financial risk reduction, evaluating ROI on cybersecurity initiatives, making informed roadmap choices, and fostering collaboration among CXOs, auditors, privacy, risk, business continuity, information lifecycle, and cyber teams.

Identify and mitigate real risks

When evaluating security technology investments, it is imperative to comprehend the nature of our businesses. Traditional IT strategies, aimed simply at delivering reliable and scalable business functions, can often fall short in this regard. Notwithstanding the inherent complexity of the technology, the focus should always be on what the business is striving to achieve, as well as what accidental or adversarial (cyber) threats can prevent that achievement.

As a business, we must understand the potential risks, not only to the value-enrichment technology systems, but to the business value itself. Take a banking environment, for instance, where the data itself equates to money, and manipulation and management of that data is both a source of value enrichment and a risk if poorly managed. Any interruption in the access and processing of this information flow can trigger significant losses. Not to mention that in banking terms, theft of digital value is simply bank robbery using 21st-century methods.

Traditionally, a holistic business risk management approach will consider environmental, accidental, and adversarial threats. We map this into our cyber resilience models by defining accidental threats as anything that might go wrong with our business, processes, or systems. We consider failing to correctly assess the impact of change management and lack of accurate decision-making data, around the effect of delayed or avoided software and hardware updates, or even skills availability, to be accidental threats, as they are not intentional objectives of the normal business processes that are intended to deliver value and profit.

We define adversarial threats as deliberate, malicious, hostile actions intended to steal, destroy, or deprive a business of value. All cyber risk is by definition hostile, destructive, or criminal in intent and, therefore not part of a normal business value creation process. This definition is a critical driver in our understanding of resilience when we begin to attribute value creation and avoidance of value destruction to the design of our business systems and processes.

Cyber risk is not a subset

To ensure comprehensive protection, our business value conversation must encompass cybersecurity as cyber risk mitigation, not simply an IT risk sub-component. When we adopt precautions and measures in proportion to the value of digital assets we protect, then we are well-equipped not only to expect, but to manage these attacks within our risk appetite.

It is crucial for businesses to recognise not only what is at risk and its value, but what level of damage is acceptable to business. This technical conversation must be translated into business language so that the necessary design, testing and recovery are communicated, not just at an operational, but at an investment level. Cyberattacks make headlines, but their impacts are not inevitabilities; they are probable events.

Understanding business value, we can model responses to these attacks and plan appropriate action before an incident occurs. Will an attack cause concern for the security team as it is detected? Or will the impact of a cyberattack be within the modelled range?

The difference between trying to manage every possible risk and managing the impact of a predicted threat is known as resilience – the delivery of threat-appropriate cyber security measures to protect and recover what truly matters. In our pursuit of security, it is vital to understand the gap between perfection and survivability and focus efforts there, whether it is in IT security, cybersecurity, or simply keeping the adversaries out.

Having a bad day?

Business leaders have to interrogate: What does a bad day look like for our business? Not just in technical terms, but in tangible financial costs. It is about managing vulnerability exposure so that when the inevitable attack happens, we can not only manage it, but we will have achieved affordable, reliable, and resilient delivery.

If the cost of protecting an asset from cyberattack outstrips the cost of recovering it, our business risk model is wrong. Unfortunately, many businesses today do not understand the real value of the information they are handling until it has been lost. It is crucial to not only understand the capital value of IT systems’ hardware and software investments, but also comprehend the dynamic value of the information stored on these systems, and compare that to the situations where loss may occur. It is rare that all threats will affect every system that you use.

A mistake businesses often make is assuming that IT, with its know-how, has secured all the data that matters. Unfortunately, without direction from business about what matters most, IT often has no alternative but to attempt to protect everything. This lack of understanding of what really matters leads to unnecessary expenditure and complexity from unneeded security tools, and inevitably results in inadequate security investment for the assets that matter most.

It now becomes incumbent on businesses to not only identify and safeguard their value-enrichment systems, but to include the protection of that value in their systems design and support processes. A protective strategy prioritises high-value assets and functions and should be regularly updated to match evolving threats. It is not a ‘set it and forget it’ solution, but an ongoing responsibility that requires vigilance and commitment. A continual business awareness of what matters and of what can possibly go wrong to damage it. By delivering a live contextual view of cyber risk, ValuRisQ enables decisions to be made when they matter; before a business value-affecting incident.

Cyber risk is a business risk. It has the power to disrupt business operations, erode customer trust, and diminish financial performance. Senior leaders must integrate cyber risk into the broader risk management strategy of the organisation. This approach involves understanding the value of data, assessing the threats and vulnerabilities, investing in appropriate protective measures, and establishing robust incident response and recovery processes. Cyber resilience is not about building a bullet-proof system that cannot be hit; it is about ensuring that when a cyberattack hits a business, the damage is manageable and correctable within budget by design.

Business models must evolve to reflect the dynamic landscape of threats. This involves not only taking a defensive approach but also fostering a culture of resilience, preparing for the ‘when’, not the ‘if’, of cyber threats. With the proper precautions, a risk-based approach that tools such as ValuRisQ deliver, businesses can navigate the complex landscape of cyber risk and emerge stronger and more resilient in the face of adversity.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Time is of the essence
Information Security
Ransomware attacks are becoming increasingly common. Yet, many individuals and organisations still lack a clear understanding of how these attacks occur and what can be done to secure their data.

The human factor side of video management systems
Leaderware Editor's Choice Surveillance Risk Management & Resilience
A video management system (VMS) is central to, and the most vital element to any control room operation using CCTV as part of its service delivery, however, all too often, it is seen as a technical solution rather than an operational solution.

Get the basics right to win more business
ServCraft Editor's Choice Risk Management & Resilience
The barriers to entry in security are not high. More people are adding CCTV and fencing to their repertoire every year. Cowboys will not last long in a space where customers trust you with their safety.

All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

South Africa shows a 1200% increase in deepfake fraud
News & Events Risk Management & Resilience
Sumsub released its third annual Identity Fraud Report of the year, analysing identity fraud across industries and regions based on millions of verification checks across 28 industries and over 2 million fraud cases.

The song remains the same
Sophos Information Security
Sophos report found that telemetry logs were missing in nearly 42% of the attack cases studied. In 82% of these cases, cybercriminals disabled or wiped out the telemetry to hide their tracks.

How hackers exploit our vulnerabilities
Information Security Risk Management & Resilience
Distractions, multi-tasking, and emotional responses increase individuals’ vulnerability to social engineering, manipulation, and various forms of digital attacks; 74% of all data breaches included a human element.

Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Veeam and Sophos in strategic partnership
Information Security
Veeam and Sophos unite with a strategic partnership to advance the security of business-critical backups with managed detection and response for cyber resiliency, and to quickly recover impacted data by exchanging critical information.

Unmasking insider risks
Information Security
In today’s business landscape, insider risks can manifest in various forms, including data theft, fraud, sabotage, insider trading, espionage, whistleblowing, negligence, truck hijacking, goods robbery from warehouses, and more.