Cyber Risk Quantification
Cyber risk quantification involves the application of risk quantification techniques to an organization’s cyber security risk. Cyber risk quantification is the process of evaluating the cyber risks that have been identified and then validating, measuring and analyzing the available cyber data using mathematical modeling techniques to accurately represent the organization’s cyber environment in a manner that can be used to make informed cyber security infrastructure investment and risk transfer decisions. Cyber risk quantification is a supporting activity to cyber risk management.
Companies such as PivotPoint Risk Analytics[1] have developed a Cyber Risk Quantification tool called Cyber Value-at-Risk (CyVaR) that quantifies an organization's cyber security risk based on multiple inputs. CyVaR is based on the Value-at-Risk methodology that has been in use in the financial industry since the mid 1980s.[2] CyVaR's inputs include identification of the organization's business critical applications / databases / IT Systems and their associated exposure values (in dollars), potential losses associated with the critical applications, the organization's network topology, and the organization's cyber security defenses based on a specific cyber framework such as NIST, ISO 27002, Center of Internet Studies (CIS) 6.1, or a similar framework and defining the strength / maturity of each framework category and the organization's level of confidence in that framework category. CyVaR has built into the model the cyber attack success rates based on various sources such as the Verizon Data Breach report and other similar sources of input regarding cyber attack successes. Once all of these inputs are completed, the CyVaR tool uses Monte Carlo simulation and runs a million instances of the model to develop the organization's loss distribution. Once this is completed, CyVaR provides a dashboard of the results and the "Severe" VaR event which is the "1 in 20" event or 95% probability of this event occurring in the next year which would be a significant catastrophic event for an organization and one the organization should be focused on from a cyber risk standpoint.
References
See also
- Value at Risk
- Risk Analytics: The CIO's Guide to Leading the Cybersecurity Business Discussion
- Economic Forum: Partnering for Cyber Resilience - Towards the Quantification of Cyber Threats