Cyber risk is the exposure to the possibility of incurring a loss of any kind through an information technology infrastructure.
Losses can include financial resources, operations capabilities, or the receiving of various fees or lawsuits; maybe after some sensitive customer data is affected. Cyber risk can be measured quantitatively by using traditional risk analysis with the added consideration of the additional factors of cyber threats. Cyber security operates at all four of the reputational, operational, legal, and financial levels of a business, and the management of all these levels must be considered in a cyber risk analysis process.
One common real-world cyber risk is social engineering which exploits a company’s weakest vulnerability, its people. Social engineering can best be combatted through employee training programs that create awareness about the dangers of social engineering and teach employees how to recognize signs of an attack.
Another real-world cyber risk is poor cyber-hygiene which describes the unhealthy habits that some users practice when interacting with information technology. Passwords are a part of cyber security that a lot of users practice bad habits with such as writing passwords down on sticky notes. One of the best ways to improve cyber-hygiene is to create awareness around the issues with training and possibly reminders.
The difference between quantitative and qualitative measurement in cyber risk is in the type of result that is generated from the analysis. Qualitative analysis uses logical speculation to evaluate specific scenarios, their potential for vulnerability, and possible solutions. Quantitative analysis assigns numeric values to components of the risk analysis model for mathematical comparison.
Inherent cyber risk is the amount of risk that exists without security controls. It is quantified by calculating the cost of business interruption, data exfiltration, regulatory fees, insurance needs, etc.
Residual cyber risk is the amount of risk with cyber security controls in place. Residual risk considers the effectiveness of cyber security controls and assesses their correlations to vulnerabilities, security assessments, research, and security tools.
Cybersecurity frameworks can outline the effectiveness of tools through a set of tests to find how well the tools are positioned so that they will positively affect the overall security posture.
Examples of cyber security risk management frameworks in use today include the NIST framework and the ISO 27001 framework.
The NIST framework takes an approach of combining all the management activities required for acceptability under regulations, laws, and polices; as well as conducting proper security and privacy practices and integrates them into the organization’s development life cycle. The NIST framework is developed by the Joint Task Force (JTF) and can be applied to any organization type, technology type, or even to organizations with legacy systems.
References
Evans, A. (2019). Managing Cyber Risk. Taylor & Francis. https://online.vitalsource.com/books/9780429614262