Quantifying Your Cyber Risk (Part 1 of 3)

08 December 2016

View Michael Wood’s profile on LinkedIn 

Do you have confidence your residual risk is aligned to your risk appetite and your investment in cyber security is appropriately reducing your loss exposure?

Cyber risk is one of the greatest risks facing the financial services industry, as highlighted recently in the Stocktake of IT risk supervision practices by the European Central Bank (16th November 2016). The number of threats are rapidly increasing and evolving over time.

This is in addition to existing vulnerabilities that have not been appropriately addressed. Across the industry we are now challenged with creating a common business risk language that incorporates cyber risk.


When trying to define a cyber risk appetite, the typical answer from executives is that there is zero tolerance for data breaches. Whilst this is said in good faith, trying to implement this in practice is nigh on impossible. Businesses do not have unlimited budgets for resources and security mechanisms required to address this risk; investments need to be prioritised.


Operational risk management frameworks designed to manage these challenges, however, have not matured at the same rate as the risks have evolved, leaving most firms managing the risk with outdated approaches. Cyber risk does not wait for monthly reporting before it’s at an unacceptable level.

To hinder the process further, cyber risk is commonly misunderstood and poorly articulated, as detailed cross line of business impact analysis that considers cyber risk holistically is rarely performed.

Over this three-part blog series we will cover the following three core areas of effective cyber risk management:  

  1. Understanding your threat landscape, risk environment and critical economic functions

  2. Statistically modelling your cyber risk and stress testing your risk assumptions

  3. Monitoring and managing your cyber risk whilst continuously improving your risk management practices to ensure alignment with your risk appetite

To provide context to the discussion, cyber risk can be defined as the risk of theft, damage and disruption to your information systems, networks and data. Cyber risk takes into consideration people, technology and processes that support those information systems, networks and data.

Understanding your threat landscape, risk environment and critical economic functions

Cyber risk is often seen as an IT problem with a lack of accountability from the business. First-line security operations are often left to address the risk without a clear strategy and funding, and they lack appropriate challenge from the second-line (compliance and risk management), who may suffer from talent shortage or lack necessary technical skills.

This results in a technology-focused approach whereas more mature organisations have transformed this into an information risk discussion, with the leaders talking at the business risk level incorporating technology, people and process.

Technology risk reporting provides information around control failures, such as a security patch not being applied. Business risk contextualises technology risk into how a control failure would potentially impact your critical economic function (i.e. the financial impact) so the business can further appreciate residual risk fluctuations where risk appetite tolerances may be infringed.

Without an effective cyber-aware operational risk model, it is extremely hard to quantify the appropriate level of investment in information security against the threat and risk environment or a mechanism to measure potential benefits. Below are some practical approaches of how to understand your cyber risk and how to start embedding this information into your operational risk management framework:

  • Establish pragmatic guiding principles that will lead your approach to managing cyber risk and your security practices. Principles agreed at board level provide a transparent, consumable vision through top-down objectives. For example “we are a company that offers the best customer experience through ensuring that all our new products and services are brought to market with security considered from strategy to execution”. By following a narrative style, the board and executives are given an opportunity to define how the business would like to be perceived externally in relation to managing cyber risk.

  • Engage threat intelligence services to understand your threat landscape. Understand threat actor (internal and external) sophistication and motivations for targeting your business alongside susceptible adverse threat events (historical or hypothetical). This is the first stage required when building a threat library, to profile and model the threat intelligence against your crown jewels.

  • Identify the vulnerabilities associated with your critical economic functions and crown jewels. Crown jewels can be people, processes, data and technology that are crucial to conduct business effectively or must be significantly protected. Mapping your critical functions will assist with crown jewel identification and indicate potential attack surfaces.  

  • Conducting an independent maturity assessment. Understand the current maturity and effectiveness of your control environment. Independent assurance reduces the risk of middle management fog, whereby the reported capability effectiveness may not consider cyber risk holistically across your business processes, and individual agendas are removed.

  • Enhance existing risk taxonomy by mapping cyber risk to business risks. Bridge the gap between the business and IT and create a common business risk language.  This includes enhancing existing operational risk management frameworks and risk registers to be more cyber-aware with cyber risk assigned as a contributing factor to key business risks and not as an isolated risk that is managed independently. Go the next step by mapping the initial threat intelligence to these risks. Risk information should be associated, where appropriate, to your overall Information and Communication Technology (ICT) risk. The European Banking Authority (EBA) has recently released a consultation paper, Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP), to promote common procedures and methodologies for the ICT assessment. The connection to business risk is ever more integral to ensure residual risk is managed to an acceptable level.

The above are the first steps an organisation must take to transform internal operational risk management frameworks to become more “cyber-aware”.  The above is no simple task. Collaboration and communication at all business levels is imperative to ensure cyber risk is adequately owned and managed. The traditional technically strong candidates may not have the soft skills required to execute the above risk management strategy. Review whether the correct staff are in the right role to facilitate this transformation.

The next blog in this series will cover how to statistically model your cyber risk and stress test your risk assumptions.

View Michael Wood’s profile on LinkedIn 



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.