Quantifying Your Cyber Risk (Part 2 of 3)

09 May 2017

What does it take to create a cyber risk currency that will allow you to measure, manage and transfer your cyber risk?

In our first blog of this series, we set out the practices companies are using to disentangle cyber security from being a technology problem, to a business problem. We argued that companies that treat cyber risk as a constituent part of their operational risk are better able to link a risk event to the impact it has on business and the downstream financial effects.

In this second blog we take the reasoning to the next step and tackle the crucial issue of quantification – how do you put a value on the company’s cyber risk exposure?

Cyber risk is a new and evolving risk, hence modelling the potential cost of a breach or the size of a ransom payment suffers from lack of historical data on past losses. The estimation of both the severity of a potential event, as well as the probability of it happening need some innovative and, we argue, highly collaborative thinking.

At PwC, we’ve brought together our actuarial and cyber security expertise from multiple industries to harness their insights into loss events and statistical modelling alongside working with our clients. Only by drawing from how similar challenges have been overcome or resulted can we begin to make sense of this quantification problem.

The insurance industry has invested heavily in science and practical methodologies of making business decisions from the outputs of predictive risk models. We believe that companies can borrow from these techniques to create a “cyber risk currency” – a value of the potential cyber security or data breach losses of a company.

Boards need to establish and maintain a cyber security strategy and framework tailored to specific cyber risks and the scenarios they wish to defend against. The Cyber Risk Quantification approach will allow you to prioritise your investments in security measures aimed at mitigating the cyber risk presented by the people, process, technology, and underlying data that support each identified function, activity, product, and services mentioned in the first blog.

We suggest the following practical steps:

  • Set objectives and plan. Decide where your risk appetite statements most benefit from a defined value at risk and potential loss metrics. Set out the outcomes you want from the process and what level of accuracy matters to you (e.g. do you want to measure the cost benefit of reduced potential loss when making cyber security investment decisions? Or the amount of insurance you should purchase?). Engage stakeholders at different levels of the business and be prepared for some difficult conversations. Not all involved will go along easily with the scenario role-play that sees their company suffering a significant financial loss, nor will one person or function have all the answers.

  • Collaboratively build scenarios. Historical events provide real world incident context and variables you may wish to consider for your scenario approach. The digital revolution and adoption of new technology brings new risk. Consider hypothetical events, what may be safe today may not be tomorrow. Connect with information sharing and analysis organisations to deepen your risk appreciation and identify plausible conditions. Define scenarios that would likely cause significant impact to operations and create a relatable scenario narrative that articulates the business risk, consumable at the executive level. By linking scenario narratives to your business products, services and/or critical economic functions would create engagement across the organisation as you are now talking business risk.

  • Create your initial risk model. Given the sparsity of loss data, you will need to rely on the experience of your colleagues in the business functions to validate the potential loss parameters. Consider technology, processes and key people supporting your supply chain or customer journey. Begin to articulate your scenario risk logic presenting the associated business processes, risk and controls to provide a platform for challenge and refinement. Impactful and near-miss historical events that have occurred in your business should be included as referential data points to provide internal perspective.

  • Prioritise your stress-test scenarios. Scenarios are a powerful tool as the narrative is tangible and they can be related to experience. Resist the pressure to assign a numerical probability to the scenarios by developing an approach that prioritises the scenarios by how likely they are to occur relative to each other. Enhance your model by incorporating intelligence on threat actors, threat events, vulnerabilities, geopolitical influences, seasonal attributes and fiscal impacts. Reassess your enriched risk data. Assumptions around impacts and cost implications should be stress-tested to understand where the most material and volatile uncertainties lie. Desktop exercises are useful when exploring outcomes whereas threat intelligence led security testing would provide factual evidence to support effective decision making.

In the next blog we will cover how scenarios and other quantification approaches can be used for business decisions. The output material of the activities above will be technical and, to be used effectively in future stages, you will need to present the results with clarity, setting out the uncertainties, the assumptions and over what time horizon will the results remain valid, given the ever-changing threat landscape.

Domenico del Re

Domenico del Re | Director, Financial Loss Modelling
Profile | Email | 07718339993

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.