According to Check Point Software’s Threat Intelligence Report on Australia & New Zealand, an organisation in the region has been attacked on average 879 times per week in the last six months. Adding to the complexity for cybersecurity practitioners is the ever-evolving threat landscape that includes a surge in ransomware attacks with over 5,000 victims reported in 2023, marking a 90 per cent increase from the previous year.
Compounding this, the Check Point 2024 Cloud Security Report exposed a critical 154 per cent increase surge in cloud security incidents, marking a significant increase from 24 per cent in 2023 to 61 per cent in 2024, highlighting the escalating complexity and frequency of cloud threats.
Given this increase in advanced threats, it is now more imperative than ever for organisations to adopt comprehensive strategies to measure, manage, and communicate their digital risk exposures effectively – but how?
According to 2021 Gartner Cyber-Risk Quantification Survey, “Faced with increasing board scrutiny and executive demand for cybersecurity services, security and risk management (SRM) leaders are turning to cyber-risk quantification (CRQ) to communicate risk, aid enterprise decision making and prioritise cybersecurity risks with greater precision.” PwC found, “Quantifying the financial risks of different cyber threats can increase the bang for the cyber buck: It enables you to direct resources to the greatest risks.”
So, What is Cyber-Risk Quantification?
According to Jack Jones, from the FAIR Institute, “Cyber risk quantification uses (obviously) quantitative values as inputs, and produces quantitative values for the probability of cyber loss events and their impacts. For example, loss event probability is expressed as a percentage (e.g., 10% probability of occurrence in the next 12 months) or a frequency (e.g., two times per year). Magnitude is expressed as a loss of monetary value (e.g., $1.5M). These values can (but don’t have to) be combined to express risk as an annualised amount (e.g., $150,000).” Jones says, “But even this simple description is often misunderstood, as many within the profession mistake numeric ordinal values (e.g., 1 – 5 scales, CVSS scores, credit-like scoring, etc.) as quantification.”
What Are the Benefits of a Risk-based Approach?
According to Mckinsey, “The risk-based approach does two critical things at once. First, it designates risk reduction as the primary goal. This enables the organisation to prioritise investment—including in implementation-related problem solving—based squarely on a cyber program’s effectiveness in reducing risk. Second, the program distills top management’s risk-reduction targets into precise, pragmatic implementation programs with clear alignment from the board to the front line. Following the risk-based approach, a company will no longer “build the control everywhere”; rather, the focus will be on building the appropriate controls for the worst vulnerabilities, to defeat the most significant threats—those that target the business’s most critical areas. The approach allows for both strategic and pragmatic activities to reduce cyberrisks.”
Put simply, Cyber Risk Quantification is a method for quantifying cyber risk in financial terms. Cyber executives are using cyber risk quantification to assist their organisations with better decision-making, prioritisation of risks and mitigation efforts, effective use of cyber investments, and improved communication with stakeholders. Quantification can also help an organisation confirm whether the security measures already in place are actually the most appropriate. A review might, for example, reveal that too many measures are in detection rather than prevention mode and so are not delivering maximum value.
The Process of Cyber Risk Quantification
Identifying Assets:
As a starting point, organisations would do well to gain real-time visibility of all their digital assets. This process involves identifying critical systems and data, as well as components that are vital to the organisation’s operations and ongoing success. Identifying assets is crucial because it enables organisations to prioritise their cybersecurity efforts on protecting the most valuable and vulnerable parts of their operation.
Identifying Threats:
Once the assets are clearly defined, the next step is to identify potential threats to those assets. Threats can come in various forms, including malware attacks, phishing campaigns, insider threats, software and hardware vulnerability exploitation, and more. This step requires an understanding of the current cyber threat landscape, including the tactics, techniques, and procedures used by cybercriminals. Identifying threats is about understanding the risks that an organisation faces and the likely vectors through which an attack could occur. For an updated list of current cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) provides detailed advisories and alerts.
Assessment of Vulnerabilities
The next step in the process is to understand how susceptible your assets are to the threats identified. One of the many approaches here could be the use of tools such as vulnerability scanners to identify weaknesses. Conducting cyber risk assessments, controls gap analysis, penetration testing and red teaming exercises are valuable approaches. The goal here is to understand all the attack surfaces and the attack vectors that could be used to exploit specific vulnerabilities. Given the dynamic nature of an organisation’s digital footprint, assessment of vulnerabilities should be an ongoing process that considers identification, classification and reporting against all digital assets.
When this has been completed, a methodology should then be selected, and the task of risk quantification initiated. Potential methodologies include the widely recognised Factor Analysis of Information Risk (FAIR) model, and the popular Annual Loss Expectancy (ALE) approach.
Impact and Likelihood Estimation
Estimating the impact and likelihood of each threat involves analysing potential financial losses and the probability of these threats materialising. This process allows organisations to prioritise risks based on their potential to affect financial stability and operational integrity. Effective estimation aids in allocating resources efficiently for risk mitigation and in making informed decisions about cybersecurity investments and insurance needs.
Figuring out how often an attack might happen involves two main things: how easy it is to exploit the weakness (think “0 for super hard” to “3 for very easy”) and how likely attackers are to target you specifically (based on your industry, data, and attacker motives). By combining these scores and considering how often such attacks are successful in general, this helps estimate how often this specific attack scenario could cost your business money over a year. This lets you focus on security controls that address the biggest financial risks.
Cyber Risk Quantification Frameworks
There are several frameworks available to assist organisations with cyber risk quantification. The FAIR Institute’s Factor Analysis of Information Risk (FAIR) framework is a popular and widely recognised framework for its ease of understanding and implementation. It focuses on business impact and facilitates risk communication. Utilising a relatively straightforward methodology that concentrates on business impact, FAIR is accessible to a broader range of cybersecurity professionals. By expressing risk in financial terms, FAIR enables communication between cybersecurity teams and business leaders, fostering a better understanding and resource allocation. FAIR is a non-proprietary framework, allowing for wider adoption and customisation.
Another framework worth considering is Value at Risk (VaR), a well-established framework with a strong presence in the financial sector. This makes it a worthy consideration for organisations already familiar with its concepts. VaR is ideal for estimating potential financial losses within a specific confidence level, providing valuable insights for worst-case scenario planning and prioritising financial metrics.
To put it simply, VaR and FAIR are two ways of understanding the risks to businesses from cyber threats, but they look at these risks differently. VaR is all about figuring out the biggest money loss a company could face from cyberattacks, aiming to predict the worst-case financial outcome with a certain level of confidence. On the other hand, FAIR gives a broader view by turning business impacts, not just money loss, into financial terms. This means FAIR takes into account not just the financial losses, but also the harm to a company’s reputation and interruptions to its operations.
For businesses that want to focus on preparing for the worst financial losses, VaR is the better choice. However, for those looking for a deeper understanding of all the possible impacts of cyber risks, both financial and beyond, FAIR is the way to go.
