Cyberthreats and cyberattacks are inevitable. Cyberrisk, which formerly was considered relevant only to cybersecurity professionals, is now recognized as having the potential to threaten an entire organization. Dependence on technology-driven, efficient and secure systems increased throughout the COVID-19 pandemic, which allowed many enterprises to operate from the homes of their employees. In this new working environment, the threat of a cyberattack can undermine the trust that stakeholders have in the organization.
Protection from cyberattacks should undoubtedly be a top priority for organizations. Many cyberattacks are predictable, but the severity of their impact on an enterprise can only be estimated. The ability to mitigate cyberrisk is based on the effectiveness of an organization’s risk management. Complex, diverse technology ecosystems and the interwoven business processes create a variety of sources of cyberrisk. These may vary in terms of frequency or implications for the organization.
Organizations have finite resources, therefore, cyberrisk must be understood, evaluated and quantified. These activities are prioritized based on the implications for the organization. According to the ISACA® white paper, Cyberrisk Quantification, “cyberrisk quantification (CRQ)—sometimes called cyberrisk economics—is a technique adopted by many enterprises to understand cyberrisk exposure and rationalize their options to manage it.”1 These techniques also aid in understanding different sources of cyberrisk and their impact. Best practices for cybersecurity governance dictate that management should be presented with information about the sources of cyberrisk facing the organization to enable a uniform level of understanding. CRQ that began as an approach to cyberrisk became integral to most enterprise risk management (ERM) programs.
Risk is traditionally quantified as the product of probability and impact. Typically, labels such as “high,” “medium” or “low” are assigned to these variables to perform quantification. However, this assignment of labels is not based on accurate measurements, but influenced by individual perception. Although labelling does allow for some quantification, it does not necessarily reflect accurate CRQ.
Organizations have finite resources, therefore, cyberrisk must be understood, evaluated and quantified.
Many industry-accepted cybersecurity standards emphasize the importance of quantifying risk accurately through a systematic risk management process. Risk identification, quantification and mitigation are essential phases of risk management. Mitigation of cyberrisk through adequate controls is an inherent aspect of implementing robust cybersecurity measures. The evaluation of controls is often equated to risk evaluation. The presence of appropriate controls is associated with low risk, while the absence of controls is associated with high risk. The significance of controls in the overall risk management process cannot be ignored.
However, there is more to CRQ than the evaluation of control quality. Antimalware, for example, is an important control for most systems. In the case of hermetically sealed or air-gap systems with no external interfaces, this control may be less significant than other connected systems. Therefore, evaluation of the effectiveness of controls without a thorough evaluation of the context may not yield adequate CRQ.
Measurement also lies at the heart of CRQ. The elements used to calculate CRQ must be measured and quantified correctly. Relying on approximation has its pitfalls. Participants in a CRQ exercise may be asked to describe the frequency of events using descriptive terms such as “likely,” “often” and “frequently.” These words are then translated to numerical values. This technique, however, suffers from inaccuracies, bias and individual cognition. A respondent, for example, may consider a label “frequently” to be 60% of the time, while others may consider it to be 85% or even higher. Further responses may be skewed by participants’ biases and cognition. It is therefore, desirable, to adopt techniques that minimize the possibility of any bias.
The increasing importance of cybersecurity has made organizations more willing to invest in cybersecurity controls and tools to protect against cyberattacks. Many of these tools continuously scan for indicators of cyberthreats. An application layer firewall, for instance, is always scanning the traffic flowing to and from applications. It, like other tools, analyzes a large quantum of data. Traditionally, these firewalls have been considered a cybersecurity measure rather than a measurement tool. The data processed by the various tools can serve as rich repositories and inputs to CRQ. Processing the data yields parameters, indicators and measures can be presented systematically through reports or dashboards. This concept is analogous to security information and event management (SIEM) tools that collect data, albeit for entirely different reasons.
It is also beneficial to include external data sources for relevancy in CRQ computations. External data including security breach reports such as global threat intelligence reports may be useful when benchmarking with the external world or when analyzing events that have not yet been experienced by the organization. Thus, a combination of internal and external data may be useful. Various service organizations provide information and security metrics based on publicly visible technology elements or services belonging to various organizations. For example, invalid Transport Layer Security (TLS) certificates are a parameter that is publicly visible without intrusive activity. Such perimeters help identify security issues related to the system. This information is helpful when identifying and quantifying cyberrisk.
A significant cyberrisk that has been of concern since 2020 is the supply chain attack. Such cyberattacks initially compromise the security of software solutions organizations offer their customers. Attackers then exploit the compromised solutions to launch cyberattacks against the customer organizations that have purchased the software. Thus, visibility of cyberrisk pertaining to one’s own organization—and across organizations in the supply chain—is important. The availability and analysis of relevant external data helps assess and measure cyberrisk and CRQ pertaining to one’s own organization and organizations in the supply chain.
When analyzing cyberrisk, whether within the supply chain or one’s own organization, one may come across many unique data elements or parameters that measure cyberrisk. While some of these represent a past event (i.e., lag indicator), others present a forward-looking scenario (i.e., lead indicator). A lag indicator measures an activity or event after it has occurred, while lead indicators attempt to predict or state the possibility of a future outcome. There is an interesting association between some lead and lag indicators as they relate to cyberrisk. For example, many organizations have effective vulnerability management programs (VMPs) that aim to identify and remediate vulnerabilities in the IT infrastructure and systems. The vulnerabilities identified represent a lag indicator, since the report is based on existing vulnerabilities. The information related to these lag indicators can be combined with additional data. The vulnerability data, when combined and corelated with data pertaining to external scanning attempts or unauthorized network connection, provide a very different kind of value. This information can be used to predict the possibility of future attacks perpetrated by exploiting vulnerabilities. The lead indicator provides quantifiable information and is of immense value for CRQ.
Conclusion
CRQ is important to organizations, since identifying and addressing sources of cyberrisk are fundamental to maintaining adequate cybersecurity. CRQ helps enterprises conduct a cybersecurity self-assessment and enables the prioritization of corrective actions. Measuring data elements using a mathematical measurement scale provides more objectivity than using a qualitative assessment that is subject to individual cognition. The various security tools implemented provide a rich source of data for the CRQ exercise. Along with internal data, external data sources can be effectively used to identify cyberrisk of one’s own and of other organizations in the supply chain.
Considering the multitude of data sources, data elements, parameters and cyberrisk measures relevant to CRQ, organizing these elements into a CRQ dashboard can provide an effective monitoring and data visualization tool. Implementing CRQ requires persistent efforts, experience, expertise and a great deal of patience. Implementing CRQ is the best way forward for any organization that intends to build a sustainable, rational and demonstrable approach to cyberrisk management.
Endnotes
1 ISACA®, Cyberrisk Quantification, USA, 2021
Sandeep Godbole, CISA, CISM, CGEIT, CEH, CISSP
Is the vice president of information security for a leading global information technology company. He has contributed to various articles on security and is a published author. He has volunteered for ISACA® at national and international levels. He is a former president of the ISACA Pune (India) Chapter.