If you believe that, then the term ‘risk management’ makes no sense. By definition, a risk is about what might happen in the future, so the best you can do is estimate it. You certainly can’t ‘measure’ it before it happens.
Anyone who talks of measuring risk is probably talking about measuring losses, and then assuming that history repeats itself. The trouble with cyber risks is their short history and rapid rate of change. This makes life difficult for the actuaries who are expected to price the limited portion of cyber risk that can be insured.
So what parts of cyber security can you measure? The usual answer is a technical one – you can measure the number of unpatched vulnerabilities in your IT systems, or the time taken to block DDoS attacks. You might even try to measure your compliance with one of the IT security standards (such as ISO27000, NIST800, ENISA, COBIT, PCI-DSS or the CIS20 CSCs). These are all valid risk factors, but the cyber threat usually comes from someone whose goal is to spot the small hole in your cyber defensive wall. They’re not interested in your impressive 99 per cent compliance, they’re looking for the one per cent gap to exploit. If they can’t find it, they’ll resort to trickery and persuade one of your employees to let them in.
The threat from insiders isn’t just about disgruntled employees, it’s about all those trusting, negligent, overworked, and vulnerable employees who might fall victim to phishing scams or coercion. How many devices had to be cleaned up last month because of a successful phishing attack, and what was the click-rate in your last mock phishing trial? These are the kind of measurements that can inform a risk assessment.
You also need to understand those cyber defence holes – how many, where on your IT estate perimeter, and what layers of protection sit behind them? Employing ethical hackers helps find the holes, and if you don’t, there’s always an enterprising journalist who will do it for you — hoping to scoop a great news story.
Really serious ethical hackers work together as a ‘Red Team’ to infiltrate your IT network undetected. They’ll test your layers of cyber protection and detection, and they’re great at guessing passwords.
Managing cyber risks means plugging those holes, educating employees, and preparing damage limitation measures for the inevitable attack that will one day slip through. All of this costs money, which can only be justified by a corresponding reduction in risk. Accountants will want to see a return on the investment — a quantified risk benefit, which means measuring the risk improvement. But risk can’t be measured! How to satisfy the accountants is a story for another day… Keep an eye out for my next instalment.