Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Robert Huber
Robert Huber
Connect Directly
E-Mail vvv

Why Organizations Must Quantify Cyber-Risk in Business Terms

The rising costs of breaches and regulatory fines are driving demand for better measurement and articulation of business impacts.

There's no doubt that cyber incidents are a top concern for business leaders today. Decision-makers around the world view data fraud, data theft, and cyberattacks as among the top five biggest risks they face, according to the World Economic Forum's "Global Risks Report." That's because cyberattacks can have a huge impact on a business — look at the estimated $300 million in costs after the NotPetya malware shut down operations at Maersk and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks. The average cost of cybercrime to an organization has risen to $13 million, according to a recent Accenture report. For businesses of all sizes and industries, cyber-risk is business risk.

Security leaders who are struggling to get the resources and support they need to protect their environment against cyberattacks often have an uphill battle when it comes to making their case to the CEO and the board. That's because they aren't able to translate cyber-risk into language the business executives can relate to or even quantify the risk. The CFO and heads of every other business unit speak the language of business, but not the security teams. Security leaders need to quantify cyber-risk in business terms; they need to make clear what the impact could be on the organization's value creation — business operations, reputation, and loss exposure in terms of dollars — all of which affect the future of the organization.

This problem is widespread. According to a recent study conducted by Ponemon and Tenable, more than 90% of respondents report experiencing at least one damaging cyberattack over the past two years, and 60% have had two or more. However, less than half of respondents say they measure the costs of cyber-risks, and only 41% attempt to actually quantify the damage. This lack of confidence in the accuracy of their measures means that security leaders aren't sharing critical information with their boards about the business costs of cyber-risk. Indeed, some security leaders report that news headlines and perceived risks, rather than quantifiable ones, are driving some top-down decisions.

Risk Quantification Best Practices
Security leaders can learn from other industries about how to quantify risk in business terms, like financial services, which has been out in front when it comes to managing risk. People don't let banks manage their life savings if they don't understand the risks and guard against losses. Financial services and cybersecurity aren't that dissimilar. Both feature increasingly complex systems and could suffer catastrophic damage in the event of failures that can cascade out into entire industries and geographies.

Cyber-risk varies depending on the type of organization affected and the potential harm. Two examples of cyberattacks that pose significant risk have targeted industries that are critical to the functioning of civil society. In 2015 and 2016, Ukraine's power grid was disrupted by nation-state attacks. Just recently, US officials revealed a much less serious cyberattack in March that briefly affected a grid control center and small power generation sites in California, Utah, and Wyoming. Meanwhile, persistent ransomware attacks over the past few years have forced untold numbers of hospitals and cities in the US and elsewhere to pay cybercriminals in order to get their computers back online. In those examples, the loss of basic utility services and potential harm to human life are key factors in the risk equation. For most businesses, however, the cyber-risk is primarily reputational and financial as a result of: loss of business due to downtime; loss of customers; theft of intellectual property or data; legal, labor, and cleanup costs; and fines due to lack of compliance with regulations.

Reliable, Accurate Metrics
What do top executives and boards need to know to make informed business decisions that affect the organization's security programs? They must discover where in their environment they have exposures using quantifiable metrics, including what data and assets are vulnerable, as well as the location of prior security incidents and how they happened. That information helps them prioritize technology purchases and deployments based on risk. Decision-makers also need to know how security teams are reducing their cyber exposure over time, as well as how they compare with their peers. Security teams must correlate vulnerability data with other risk indicators, such as threat intelligence and asset criticality, in order to automatically score, trend, and benchmark an organization's cyber-risk.

There are a number of forces pushing organizations toward more effective cyber-risk management. The growing number of serious and costly cyberattacks has prompted boards and CEOs to take a more proactive role in understanding cyber threats and exposure. The rising costs of cyberattacks and data breaches and regulatory fines are driving demand for better measurement and articulation of business impacts. Many organizations have not adopted security metrics that reflect the role that cybersecurity plays as a core business enabler for organizations — but they need to. 

Related Content:


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company's global security teams, working cross-functionally to reduce ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
10/28/2019 | 5:35:21 PM
Re: Quantifying cost
My issue with most of them at this point is, they are all based off of probabilities. I hear you. We are living in more probabilistic wold than deterministic unfortunately.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...