Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/24/2019
10:30 AM
Robert Huber
Robert Huber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Organizations Must Quantify Cyber-Risk in Business Terms

The rising costs of breaches and regulatory fines are driving demand for better measurement and articulation of business impacts.

There's no doubt that cyber incidents are a top concern for business leaders today. Decision-makers around the world view data fraud, data theft, and cyberattacks as among the top five biggest risks they face, according to the World Economic Forum's "Global Risks Report." That's because cyberattacks can have a huge impact on a business — look at the estimated $300 million in costs after the NotPetya malware shut down operations at Maersk and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks. The average cost of cybercrime to an organization has risen to $13 million, according to a recent Accenture report. For businesses of all sizes and industries, cyber-risk is business risk.

Security leaders who are struggling to get the resources and support they need to protect their environment against cyberattacks often have an uphill battle when it comes to making their case to the CEO and the board. That's because they aren't able to translate cyber-risk into language the business executives can relate to or even quantify the risk. The CFO and heads of every other business unit speak the language of business, but not the security teams. Security leaders need to quantify cyber-risk in business terms; they need to make clear what the impact could be on the organization's value creation — business operations, reputation, and loss exposure in terms of dollars — all of which affect the future of the organization.

This problem is widespread. According to a recent study conducted by Ponemon and Tenable, more than 90% of respondents report experiencing at least one damaging cyberattack over the past two years, and 60% have had two or more. However, less than half of respondents say they measure the costs of cyber-risks, and only 41% attempt to actually quantify the damage. This lack of confidence in the accuracy of their measures means that security leaders aren't sharing critical information with their boards about the business costs of cyber-risk. Indeed, some security leaders report that news headlines and perceived risks, rather than quantifiable ones, are driving some top-down decisions.

Risk Quantification Best Practices
Security leaders can learn from other industries about how to quantify risk in business terms, like financial services, which has been out in front when it comes to managing risk. People don't let banks manage their life savings if they don't understand the risks and guard against losses. Financial services and cybersecurity aren't that dissimilar. Both feature increasingly complex systems and could suffer catastrophic damage in the event of failures that can cascade out into entire industries and geographies.

Cyber-risk varies depending on the type of organization affected and the potential harm. Two examples of cyberattacks that pose significant risk have targeted industries that are critical to the functioning of civil society. In 2015 and 2016, Ukraine's power grid was disrupted by nation-state attacks. Just recently, US officials revealed a much less serious cyberattack in March that briefly affected a grid control center and small power generation sites in California, Utah, and Wyoming. Meanwhile, persistent ransomware attacks over the past few years have forced untold numbers of hospitals and cities in the US and elsewhere to pay cybercriminals in order to get their computers back online. In those examples, the loss of basic utility services and potential harm to human life are key factors in the risk equation. For most businesses, however, the cyber-risk is primarily reputational and financial as a result of: loss of business due to downtime; loss of customers; theft of intellectual property or data; legal, labor, and cleanup costs; and fines due to lack of compliance with regulations.

Reliable, Accurate Metrics
What do top executives and boards need to know to make informed business decisions that affect the organization's security programs? They must discover where in their environment they have exposures using quantifiable metrics, including what data and assets are vulnerable, as well as the location of prior security incidents and how they happened. That information helps them prioritize technology purchases and deployments based on risk. Decision-makers also need to know how security teams are reducing their cyber exposure over time, as well as how they compare with their peers. Security teams must correlate vulnerability data with other risk indicators, such as threat intelligence and asset criticality, in order to automatically score, trend, and benchmark an organization's cyber-risk.

There are a number of forces pushing organizations toward more effective cyber-risk management. The growing number of serious and costly cyberattacks has prompted boards and CEOs to take a more proactive role in understanding cyber threats and exposure. The rising costs of cyberattacks and data breaches and regulatory fines are driving demand for better measurement and articulation of business impacts. Many organizations have not adopted security metrics that reflect the role that cybersecurity plays as a core business enabler for organizations — but they need to. 

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company's global security teams, working cross-functionally to reduce ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:42:40 PM
CEO
The growing number of serious and costly cyberattacks has prompted boards and CEOs to take a more proactive role in understanding cyber threats and exposure. This is encouraging to hear. If is really time to pay attention what is happening in the organization and where the vulnerabilities are.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:38:41 PM
Re: Quantifying cost
How do you quantify the "possible" cost? I think this is a good question to ask. One way to overcome that is reviewing similar activities and projects completed in the past and forecast the cost for probability of them happening in the future. However I do not have a good answer either unfortunately.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:35:21 PM
Re: Quantifying cost
My issue with most of them at this point is, they are all based off of probabilities. I hear you. We are living in more probabilistic wold than deterministic unfortunately.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:33:25 PM
CFO
The CFO and heads of every other business unit speak the language of business, but not the security teams. This is really a good point to make. CFOs tens to focus on cost-benefits, if CISO can elaborate security in those terms then there is a better chance to be on the same page.
Bob Huber Tenable
50%
50%
Bob Huber Tenable,
User Rank: Author
10/25/2019 | 10:52:24 AM
Re: Quantifying cost
I agree, quantifying cost is cumbersome at best. There are many initiatives in the insurance industry to try and do just that, as well as some "cyber" companies attenpting to address this. There are frameworks that attempt to do this as well. My issue with most of them at this point is, they are all based off of probabilities. If you could tie probablities to quantifiable telemetry that would be ideal. Personally I have been evaluating some of these technologies to quantify the cost, but the jury is still out on their usefulness.
lmasseus
50%
50%
lmasseus,
User Rank: Apprentice
10/25/2019 | 10:12:18 AM
Quantifying cost
The question that needs to be answered is , How do you quantify the "possible" cost?  An article that delves into the details of how you should quantify Cyber-Risk would be more useful.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.