Quantifying cyber risks

There is a growing need for cybersecurity risk assessment to have a robust and reliable methodology to quantify and calculate exposure to losses

Traditional approaches to quantitative assessment of an organization's risk posture involve performing risk analysis using numerical values assigned to each risk. But the numerical values don’t provide a deeper context of the risks, and the process is followed as a matter of convention. A risk score computed using conventional methods cannot determine the actual risk cost. Importantly, these approaches also lack the ability to quantify the likelihood of a catastrophic event that would require the company to either invest in strengthening cyber defense or buy insurance coverage.  

Value at risk 

Finance and insurance firms have historically used value at risk (VaR) to quantify potential losses for investments over a certain timeframe

VaR is represented as a distribution of loss values and their probabilities, which is much more informative and useful than just providing the average loss. VaR is used to calculate the worst expected loss over a given time at a given confidence level under normal operating conditions.  

To compute cyber VaR, we need to consider all factors that expose the organization to the risk of cyberattacks in a quantifiable way. These include technical factors, such as the vulnerability status of assets, behavioral factors, including employee awareness, and monetary factors that allow quantification of losses based on the types of assets compromised. Holistic cyber VaR analysis should consider both internal causes of attacks, such as insider threats and accidents due to negligence or ignorance, and external ones, such as corporate espionage, criminal hacking, and hacktivism. With all the uncertainties coming into play, computing VaR is a challenging task. This is where the Monte Carlo method helps in covering a wider range of threat scenarios.

Monte Carlo method

A technique to measure outcomes of complex and uncertain cyber security problems

The lack of reliable cyber risk data—whether it is attack frequencies or losses by different asset types and user types—is a major challenge to evaluating cyber VaR. That is why the Monte Carlo method naturally lends itself to evaluating VaR. 

Monte Carlo simulation constructs outcomes of various scenarios by using values from a probability distribution for any factor with inherent uncertainty. In cyber security, these factors are the number of incidents or attacks and the losses associated with them. A Monte Carlo simulation repeats this construct thousands or even millions of times, depending on the complexity of the problem. Each time it selects a different set of random values from the probability distribution. A realistic Monte Carlo simulation includes multiple types of attacks with different probability distributions of the number of attacks and losses. Data exfiltration, ransomware attacks, insider threats, etc., can be characterized by probability distributions based on historical data. Monte Carlo simulations assimilate all probability distributions into one simulation, stringing them together into one chain of events and responses and thus yielding results that reflect all the input components. The output of a Monte Carlo simulation is a distribution of possible outcome values.

Cyber security ROI 

Applications and ROI of cyber risk quantification (CRQ)

The value of cyber risk quantification (CRQ) lies in the ability to articulate financial loss in concrete terms. It ensures that decisions on cyber spending are supported by financial loss scenarios and methodologies that are solid and confident. 

Educate leadership – Enable communication of cyber risk in financial terms to executive management and board members. 

Justify security budgets – It is hard to justify monetary investments based on ordinal risk scoring and heat maps used in traditional qualitative risk management methods. The sound mathematical approach of Cyber VaR provides a tool to assess and quantify critical risks, which can then form the basis for prioritizing security spending. This scientific approach ensures that security budget-related decisions can be justified to various stakeholders with validation that the flow of funds is aligned towards mitigating the highest risks. 

Improve decision-making and ROI – Use quantitative assessment to evaluate various security solutions and determine potential overheads and savings.

Limit losses to the decided threshold – Estimate potential losses from cyber threats by running scenarios, and then decide on an acceptable loss threshold, the resources to be allocated, and preventative measures to be implemented.

Improve cyber posture – Monte Carlo simulations can enable enterprises to develop robust defensive strategies through risk assessments based on a multitude of possible scenarios and effective prioritization of investments to security initiatives which strengthen the overall cyber security posture. 

Benefits 

Monte Carlo simulations can help accurately predict potential financial losses that may result from various risks

They also help understand the worst expected loss at a given confidence level and assure that the losses would not exceed a predefined threshold. 

Monte Carlo simulations can further improve an organization's risk posture and optimize ROI on cyber security. Multiple controls can be implemented to mitigate and deter cyberattacks. Implementing these controls must be based on how they can be combined to mitigate potential attacks. A Monte Carlo simulation allows for the effectiveness of each control to be drawn from a distribution that is arrived at with each run of the simulation. An in-depth understanding of the risks of the enterprise, combined with an analysis of variable effectiveness and outcomes of adopting complementary risk controls, can allow for informed decision-making to mitigate cyber risks. As with VaR, one can evaluate the reduction of the worst-case loss as a function of invested funds. 

Both VAR and Monte Carlo simulations can be used as:

• A reliable data-driven cyber risk quantification model 

• A forecasting model to predict catastrophic events

• A cyber security ROI quantification model