03 November 2017
Blogs by author: Malcolm Stokes, Head of Operational Risk, BT Security
In my two previous blogs, I explored the nature of managing and measuring cyber risk and the ways a company can justify spending on cyber-risk improvement. Through this exploration, I made it clear that organisations need to quantify their cyber risks if they want any hope of making a business case. So, in this blog, let’s take a look at how to make this quantification a reality.
A simplistic approach
All too often, cyber risks are quantified using a single monetary value and percentage likelihood of occurrence. For example, a company might say that a cyber attack would cost them £40M and that there’s a 12% chance of it happening.
This simplistic approach allows several different risks to be plotted on an ‘Impact vs. Likelihood’ grid to help prioritise mitigation. But it does little to convince an investment board to approve expenditure on cyber defences. It also fails to impress insurance actuaries; they need to know what the percentage likelihood value really means. In the example given above, the 12% figure is likely to be a rolling annual probability, although it might refer to a longer timeframe if the exposure is time-bound, i.e. a project or campaign risk with a known endpoint.
What does it actually mean?
Having established the timeframe, we need to examine its relationship to the impact value. It’s clear that the 12% cannot mean the likelihood of losing exactly £40M — that would be an amazing coincidence. So which of the following might be a more precise meaning?
1. A 12% probability of losing any amount of money due to one or more cyber incidents — i.e. there is no mathematical relationship between the £40M and the 12%.
2. A 12% probability of losing up to £40M — i.e. there’s a 12% chance of losing between £0 and £40M in the next twelve months.
3. A 12% probability of losing about £40M. Perhaps plus or minus £5M, or between £30M and £50M. The range needs to be specified.
4. A 12% probability of losing more than £40M — i.e. there’s a 12% chance of aggregate losses due to cyber incidents exceeding £40M in the next twelve months. This is what actuaries call the probability of exceedance or ‘EP’ value.
Option four is rarely used outside the world of insurers, and yet it’s easier to estimate, it produces more consistent and realistic results and can be used mathematically to produce an overall cost of risk. If the EP values are estimated for several different impact boundaries, then an EP curve can be constructed and the area under the curve is the ‘pure premium’ or total cost of risk. Keep in mind that a business case that aims to reduce this annual cost of cyber risk is far more likely to convince your CFO.
Making a business case
The reduction in the area under an EP curve before and after improvement represents the value of risk-benefit achieved. For a valid comparison with capital expenditure, the monetary values need to represent bottom-line profits lost, or ‘EBITDA’ in accounting terms. Loss of revenue doesn’t count. These values should also take into account the cost of restoring reputation and damage to forecast growth, and any fines, penalties or compensation paid, along with the financial effect of any sanctions imposed or negotiated changes in trading terms.
A business case for investing in risk improvement also needs to estimate the time taken to realise the full risk improvement benefits; because the longer it takes, the longer the organisation is operating at an unacceptable risk.