What is Cyber Risk Quantification (CRQ)
Quantifying cyber risk is an objective method used for making informed decisions about cybersecurity investments and strategies. The goal of cyber risk quantification is to estimate the financial impact of a potential cyber event. This can be done by calculating the financial loss expectancy, which is the product of the impact also known as the ‘Financial Asset Exposure’ and the ‘Probability’ of a loss. The data necessary to calculate these values includes the digital assets and their attributes, and security control test findings at a minimum using statistical methods to quantify the risks.
Financial Asset Exposures (Impact)
Impacts are due to:
1. Data Loss – due to a data breach and associated notification costs.
2. Ransomware Loss – due to a cybercriminal encrypting your infrastructure and rendering your firm unable to do business.
3. Distributed Denial of service (DDoS) Loss – due to a cybercriminal flooding your web application servers with traffic and shutting them down – again limiting your ability to do business.
4. Regulatory Losses – based on fines and penalties for federal, state, local and industry regulations.
5. Reputational Loss – based on stock price and market capitalization impacts.
6. Operational Loss – based on losing resources.
7. Legal Loss – based on class action, D&O and shareholder actions.
8. Third Party Loss – based on both data breach and business interruption losses associated with vendors.
Probability of loss
The probability of loss can be due to inherent, mitigating or residual risk information. For the purpose of this we will look at mitigating risk. Mitigating risk uses cybersecurity controls to reduce the probability of a cyber event. Each control is specific to a type of risk category such as access control, encryption, audit, lifecycle management, etc. Control efficacy is measured and used to equate to probability.
Some of the benefits of cyber risk quantification
Cyber risk quantification can demonstrate the return on investment as you set priorities for your cybersecurity initiatives. It can be used to understand which vulnerabilities to prioritize based on financial impacts. Cyber risk quantification can be used to pivot resources based upon reducing financial exposures in near real time. Additionally, it will help you to determine adequate cyber insurance limits, analyze M&A due diligence and orchestrate the cyber, privacy and regulatory needs of the firm.
Conclusions
Companies that don’t use cyber risk quantification will struggle to understand and align their strategic goals since the metrics that they use will not be objective. Objective metrics provides KPIs that all stakeholders can understand and utilize to reduce cyber risk. To learn more about how CRQ can benefit your business, contact us or book a demo today.