I want to take a break from my Small and Medium business series to discuss a topic that I think still causes a lot of confusion. Let’s talk about cyber risk.
Cyber risk is a hot topic these days, but, in my opinion, it is often misunderstood or conflated with other cybersecurity and privacy concerns. I’ve had conversations where all involved were using the phrase ‘cyber risk’ differently, and, despite hours of talking, the results were still muddled, and the participants emerged confused.
In this blog, I’d like to offer a common definition of cyber risk and outline a few models of cyber risk that I’ve found handy in my time working in the Cyber Risk Management field. I’d like to start this post with a simple definition and a simple method for measuring cyber risk and move to more advanced, and hopefully more precise, methods of measuring cyber risk in future posts. I’d also like to talk about what we can do with these measurements of cyber risk once we have found them in order to achieve rudimentary cyber risk management.
The Basic Definition of Cyber Risk
NIST, ISO, AICPA, and DHS are among the multiple organizations that have offered a definition of cyber risk. While the multiple definitions of cyber risk all differ to a lesser or greater extent, a few key elements remain the same. Let’s examine these constants to get a little better understanding of what the absolute broadest understanding of ‘Cyber Risk’ is. Let’s break it down into three ideas:
- Let’s acknowledge that a bad thing can happen to our cyber assets.
- However, just because some bad things can happen, doesn’t mean that they will happen.
- But, if a bad thing does occur, it will do some amount of damage.
Cyber risk is, therefore, a prediction that is a combination of how frequently we can expect a bad thing to happen, and how bad it can be. Obviously, this is a very simple definition, but I think it is one that is pretty universal.
The concept of Cyber risk can be pretty handy for organizing business responses to the bad things that can happen.
Cyber Risk – Basic Qualitative Measurement Model
Qualitative Cyber Risk Measurement is a way of measuring cyber risk without using numbers. We could use this if it is not very important to be precise, or we don’t have specific numbers about the frequency of an event or the negative impact the event could have. In our qualitative risk analysis, we will plot the probability that an event occurs and the negative impact of an event along two ordinal axis. Let’s use the ordinal series Low, Moderate, and High to represent the probability and impact of a bad event. Using this chart, we can plot the following events:
- An event with a low likelihood of occurrence and low impact
- An event with a low likelihood of occurrence and high impact
- An event with a high likelihood of occurrence and low impact
- An event with a moderate likelihood of occurrence and moderate impact
- An event with a high likelihood of occurrence and high impact
Qualitative cyber risk measurement is among the easiest methods of working with cyber risk in your organization, but because there are no numbers attached, it may be less meaningful than other methods, and less precise. As we can see, event 1 (low/low) poses a fairly low risk as expected, and event 5 (high/high) poses a high risk as expected. However, in this qualitative model, the combination of a high/low event or a low/high event equates roughly to the same level of risk as a medium/medium event.
Please, tune in for the next iteration in the Cyber Risk Series where we will discuss a more advanced and precise model of measuring risk, as well as some interesting risk management data points to look for in your organization.
CHIEF INFORMATION SECURITY OFFICER