Who can forget the famous Jerry Maguire quote, “Show me the money!” Fans have referenced it for decades in various contexts for obvious reasons. Money drives decisions, ideas and actions. In enterprises, almost every major decision is driven by money, a.k.a ‘value at risk,’ except when it comes to cyber risk. Attempts thus far to quantify the financial impact of cyber risk have fallen short. The dynamic nature of threats, vulnerabilities, technologies and data coupled with understanding the actual impact of a breach at all levels – brand damage, data and dollars lost, reputational damage, etc. - makes it challenging to map accurate financial metrics to cyber risk.
However, the tide is changing. The first major sign appeared in 2013 after the infamous Target breach. That’s when data breaches became household terminology. Stakeholders, which include board members, executives and other non-technical enterprise leaders, realized that not only could their private information get into the wrong hands through digital attacks but also that their company could face a slew of negative publicity. Target weathered the storm but the impact is still in the headlines. The company reached a multistate $18.5 million settlement, which has become the tipping point for other enterprises to prioritize quantifying cyber risk, in dollar and cents, so that they know which actions and investment decisions will reduce financial impact the most.
The good news is that applying the value at risk equation to cyber security is not as difficult as it may seem. It starts with understanding your digital assets. Which systems, applications, servers, databases and other assets are the most valuable to your company? What kind of data are on the assets? Which of those assets, if compromised, would hurt your company the most?
Metrics should be calculated for these four points:
- The total potential amount of money lost if your high value assets were compromised
- How much that amount would decrease if the threats to and the vulnerabilities within those assets were mitigated
- How much would it cost the company to mitigate those threats and vulnerabilities
- A breakdown of the above three points per business unit
Here’s an example of how to apply those points. Let’s say your company is at risk of potentially losing $10 million if an attacker exploits a vulnerability in one of your applications. If you mitigate the vulnerability, it will reduce that impact to $5 million. Assuming the cost to mitigate the vulnerability - factoring in resources, manpower, technology and whatever else it takes to fix the problem - is less than the realized benefit of $5 million, then from a business standpoint, the decision is a straight forward one. On the other hand, if the cost is higher than $10 million, then the decision requires some more analysis.
There is one more factor to consider – progress. Is your financial exposure trending higher or lower over time? If it’s lower quarter over quarter, then you know you are making the right decisions. If higher, you know to change course so that you are more efficient with your efforts.
Calculating these kinds of metrics requires technology and human knowledge, but that’s a conversation for a different day. For now, it’s just good to know that measuring cyber risk in dollars and cents to drive decision-making is a reality.