Harnessing the power of quantitative risk assessment

Issue 7 2023 Information Security, Security Services & Risk Management

Steve Jump.

In an era where digital threats loom larger than ever, businesses need to pivot from merely defending against cyberattacks to building an infrastructure that can absorb and adapt to them. The new paradigm? Cyber resilience.

A strategy that marries traditional cybersecurity approaches with a forward-thinking model of risk mitigation and security by design factors in every facet of a business’s operations. Supporting this paradigm shift lies a powerful tool: quantitative risk analysis.

As a staunch advocate for risk management, I support that cyber risk is a fundamental and existential business risk, which cannot be adequately addressed if it is only seen as a sub-risk under IT. This viewpoint cannot be stressed enough, especially given the implications of cyber threats to businesses today.

In any discussion about cyber resilience, our first point must be cyber risk itself. We know it never makes economic sense to aim for 100% risk prevention; the level at which we aim is our risk appetite. This needs to be determined clearly by the business as the level of risk that is acceptable with respect to value during business continuity and recovery.

Business value

Our next point is business value, where we need a recognised comparative framework to compare our treated vs. untreated risk exposure – we follow convention here and use dollars to represent a real monetary value. This is where we begin to realise that some of our traditional metrics for cybersecurity are not so easily transferable into the digital, cyber threat-affected, information-driven eco-system that business has become.

As with all risk assessment processes, to manage both expectation and investment, we need to understand the cost of doing something versus the cost of doing nothing, and to map that to business benefit. If that sounds familiar, it is, because this is essentially what a traditional business case does. The only change today is that the asset register that determines our value at risk is now dramatically shifted away from tangible capital assets that depreciate over time, towards the virtual value of digital assets that depend on their presence and use. This latter value often exceeds traditional capital value by several orders of magnitude.

Navigating the complex world of quantitative risk assessment at first appears to be a daunting endeavour. The apparent complexity of quantitative risk can, at first, leave many feeling overwhelmed. Much of the information around quantitative cyber risk assessment has focused on this perceived complexity rather than the accessible simplifications that enable digital asset value to be considered as a business risk.

Dimension of quantities

In any quantitative methodology, we must first determine the dimension of quantities, in this case, monetary value. This starts with a re-imagining of our business asset register to include the value of our digital assets. These are no longer intangible or virtual assets. Consider: If your asset register does not reflect the value of a database that would cost $5 million to re-capture, calculating the cost of systems to protect that data against loss from a cyberattack is almost impossible. In addition, the costs of the data itself within the database could be worth billions.

Simply evaluating your digital assets and processes in financial terms allows you to start making value comparisons of threats and risks that are otherwise hidden, often threats that you only realised after an incident that damaged your business. Cyber risk quantification represents the next frontier in business assurance.

Platforms like ValuRisQ by RiskQ empower executive teams to interpret cyber threats in monetary terms, bridging the understanding gap from the CISO to the boardroom (SLVA Cybersecurity is the authorised reseller for RiskQ in South Africa). The term ‘cyber risk assessment’ over the years has essentially been an evaluation of controls. While offering insights on cybersecurity control effectiveness for CISOs, senior executives and board members were often unable to see the financial ramifications for which they were accountable.

Embedding business context

In contrast to many other solutions, ValuRisQ elevates trust by embedding crucial business context into cyber risk assessments and automating data collection. This allows businesses to prioritise risk mitigation over data acquisition. Cybersecurity incidents are a matter of ‘when’ rather than ‘if’; hence, quantifying cyber risk becomes a means to manage potential business repercussions. ValuRisQ stands out by automating the analytical process and providing decision-makers with the tools they need to see the effectiveness of security measures in the context of their own business.

The strength of these models is due to their statistical basis, and today they play a crucial role in managing the vulnerabilities that permeate our modern digital landscape. For anyone new to such quantitative modelling concepts, rest assured that their principles are not new in any sense, indeed, the fundamental mathematics available to use are based on the same estimating and statistics that insurance companies used to calculate actuarial tables in the 1800s. These models speak strongly to investment in resilience.

When considering digital and cyber risk, we need to consider why strategies that were effective a decade ago are unsuitable today. IT security, once complex and expensive, was often conveniently tucked away within an equally complex IT budget. Despite an arsenal of technical frameworks like NIST or ISO 27000, and a host of regulatory and legal requirements, businesses, even though audited as compliant, still find themselves embroiled in a never-ending race to acquire the latest cybersecurity product to protect infrastructure that contains data, without truly understanding the real value and risk to that data itself.

The value of having a quantitative risk solution in place lies in providing objective analysis and reporting, so that executives can empower their security leaders to reduce risk with a greater level of confidence. Proper financial cyber risk quantification lays the foundation for strategies against ransomware, streamlining cyber insurance, adjusting controls for tangible financial risk reduction, evaluating ROI on cybersecurity initiatives, making informed roadmap choices, and fostering collaboration among CXOs, auditors, privacy, risk, business continuity, information lifecycle, and cyber teams.

Identify and mitigate real risks

When evaluating security technology investments, it is imperative to comprehend the nature of our businesses. Traditional IT strategies, aimed simply at delivering reliable and scalable business functions, can often fall short in this regard. Notwithstanding the inherent complexity of the technology, the focus should always be on what the business is striving to achieve, as well as what accidental or adversarial (cyber) threats can prevent that achievement.

As a business, we must understand the potential risks, not only to the value-enrichment technology systems, but to the business value itself. Take a banking environment, for instance, where the data itself equates to money, and manipulation and management of that data is both a source of value enrichment and a risk if poorly managed. Any interruption in the access and processing of this information flow can trigger significant losses. Not to mention that in banking terms, theft of digital value is simply bank robbery using 21st-century methods.

Traditionally, a holistic business risk management approach will consider environmental, accidental, and adversarial threats. We map this into our cyber resilience models by defining accidental threats as anything that might go wrong with our business, processes, or systems. We consider failing to correctly assess the impact of change management and lack of accurate decision-making data, around the effect of delayed or avoided software and hardware updates, or even skills availability, to be accidental threats, as they are not intentional objectives of the normal business processes that are intended to deliver value and profit.

We define adversarial threats as deliberate, malicious, hostile actions intended to steal, destroy, or deprive a business of value. All cyber risk is by definition hostile, destructive, or criminal in intent and, therefore not part of a normal business value creation process. This definition is a critical driver in our understanding of resilience when we begin to attribute value creation and avoidance of value destruction to the design of our business systems and processes.

Cyber risk is not a subset

To ensure comprehensive protection, our business value conversation must encompass cybersecurity as cyber risk mitigation, not simply an IT risk sub-component. When we adopt precautions and measures in proportion to the value of digital assets we protect, then we are well-equipped not only to expect, but to manage these attacks within our risk appetite.

It is crucial for businesses to recognise not only what is at risk and its value, but what level of damage is acceptable to business. This technical conversation must be translated into business language so that the necessary design, testing and recovery are communicated, not just at an operational, but at an investment level. Cyberattacks make headlines, but their impacts are not inevitabilities; they are probable events.

Understanding business value, we can model responses to these attacks and plan appropriate action before an incident occurs. Will an attack cause concern for the security team as it is detected? Or will the impact of a cyberattack be within the modelled range?

The difference between trying to manage every possible risk and managing the impact of a predicted threat is known as resilience – the delivery of threat-appropriate cyber security measures to protect and recover what truly matters. In our pursuit of security, it is vital to understand the gap between perfection and survivability and focus efforts there, whether it is in IT security, cybersecurity, or simply keeping the adversaries out.

Having a bad day?

Business leaders have to interrogate: What does a bad day look like for our business? Not just in technical terms, but in tangible financial costs. It is about managing vulnerability exposure so that when the inevitable attack happens, we can not only manage it, but we will have achieved affordable, reliable, and resilient delivery.

If the cost of protecting an asset from cyberattack outstrips the cost of recovering it, our business risk model is wrong. Unfortunately, many businesses today do not understand the real value of the information they are handling until it has been lost. It is crucial to not only understand the capital value of IT systems’ hardware and software investments, but also comprehend the dynamic value of the information stored on these systems, and compare that to the situations where loss may occur. It is rare that all threats will affect every system that you use.

A mistake businesses often make is assuming that IT, with its know-how, has secured all the data that matters. Unfortunately, without direction from business about what matters most, IT often has no alternative but to attempt to protect everything. This lack of understanding of what really matters leads to unnecessary expenditure and complexity from unneeded security tools, and inevitably results in inadequate security investment for the assets that matter most.

It now becomes incumbent on businesses to not only identify and safeguard their value-enrichment systems, but to include the protection of that value in their systems design and support processes. A protective strategy prioritises high-value assets and functions and should be regularly updated to match evolving threats. It is not a ‘set it and forget it’ solution, but an ongoing responsibility that requires vigilance and commitment. A continual business awareness of what matters and of what can possibly go wrong to damage it. By delivering a live contextual view of cyber risk, ValuRisQ enables decisions to be made when they matter; before a business value-affecting incident.

Cyber risk is a business risk. It has the power to disrupt business operations, erode customer trust, and diminish financial performance. Senior leaders must integrate cyber risk into the broader risk management strategy of the organisation. This approach involves understanding the value of data, assessing the threats and vulnerabilities, investing in appropriate protective measures, and establishing robust incident response and recovery processes. Cyber resilience is not about building a bullet-proof system that cannot be hit; it is about ensuring that when a cyberattack hits a business, the damage is manageable and correctable within budget by design.

Business models must evolve to reflect the dynamic landscape of threats. This involves not only taking a defensive approach but also fostering a culture of resilience, preparing for the ‘when’, not the ‘if’, of cyber threats. With the proper precautions, a risk-based approach that tools such as ValuRisQ deliver, businesses can navigate the complex landscape of cyber risk and emerge stronger and more resilient in the face of adversity.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

What are MFA fatigue attacks, and how can they be prevented?
Information Security
Multifactor authentication is a security measure that requires users to provide a second form of verification before they can log into a corporate network. It has long been considered essential for keeping fraudsters out. However, cybercriminals have been discovering clever ways to bypass it.

SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

How to prevent and survive fires
Fire & Safety Security Services & Risk Management
Since its launch in August 2023, Fidelity SecureFire, a division of the Fidelity Services Group, has been making significant strides in revolutionising fire response services in South Africa.

A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.