Cybersecurity risk management is a critical component of modern business management systems, yet many organizations base their security programs on what can only be described as fundamentally flawed practices. Current methods often rely on subjective and biased assessments that fail to capture the complexity of the cyber threats they face. After looking at the practices of dozens of businesses, large and small, across many countries around the world, it’s clear that we need an overhaul of these practices. Risk-based decisions are the cornerstone of a good security program, but if the data lies then all bets are off. I’d urge security leaders to either abandon these ineffective methods of risk assessment or significantly improve their metrics collection to ensure decisions are based on reliable data.
Why Traditional Cyber Risk Management is Flawed
The problem with cyber risk management is the process is often built on shaky foundations. Many organizations use the basis of their business risk management framework to calculate cyber risk through a process that relies heavily on expert guesswork. This subjective approach often ignores crucial metrics necessary for accurately determining the level of risk. For example, empirical analysis of the patch state of every system the business owns and manages is very hard to attain, and more often than not, this data is not even included in a risk assessment. The result is a skewed understanding of vulnerabilities and threats, based on nothing more than guesswork. And the outcomes is a misallocated investment into more controls and more resources, while the fundamental (but often very complex and hard to solve) issues are not tackled.
In many cases, risk assessments are conducted using qualitative measures such as risk matrices – those lovely grids containing green, orange and red blobs that indicate how good or bad something is. These tools, while simple to use, are inherently flawed, especially when it comes to cyber risk, as they are highly subjective and prone to bias. The assessors’ personal experiences and pressures from management, organizational culture, and external pressures all influence the outcomes, making the results unreliable.
The Need for Quantitative Risk Assessments
Quantitative risk assessments offer a more objective and data-driven approach to evaluating cyber risks. As the Centre for Internet Security (CIS) says, “Quantitative risk analysis eliminates ambiguity and facilitates more objective decision-making by providing a clear, numeric picture of the risk landscape. It reduces the element of subjective bias that can be associated with qualitative methods, leading to more rational and robust decisions.”
Techniques such as Monte Carlo simulations and Bayesian networks are often used by risk assessors to model uncertainties and variabilities in systems, providing a more nuanced understanding of potential impacts. However, these methods are not widely adopted in cyber due to their complexity and the resources required to implement them, even though the benefits far outweigh the challenges. If we can find a way to commoditise quantitative risk analysis for cyber leaders and practitioners, maybe with some easy to use platforms and tools, they will allow for a more accurate and comprehensive view of the risk landscape.
Incorporating Expert Judgment
These quantitative methods are essential, but there is still room to use expert judgment in the process, as the expertise and experience of security managers and risk managers will still play a part in the overall process. The trick to making this work is to combine expert insights with empirical data and create a balanced and objective process. Cyber risk could try talking to their insurance companies for example and convincing them to offer actuarial data that can feed into their likelihood metrics. Cyber insurers have myriad details of past incidents, their causes, and their financial impacts. If they would share some of this data with the broader business community, then everyone would win. I’m not saying this would happen overnight, but the data is there, it’s just most of us have no access to it.
For example, if a cyber insurance company could provide anonymized actuarial data relating to common vulnerabilities and threat, it could help organizations anticipate potential risks more accurately and allocate resources accordingly. By integrating this sort of actuarial data with other quantitative modelling methods, businesses may be able to boost the efficacy of their risk assessments and focus their investment and resources in the places that matter most.
Collaboration is Crucial
To improve the quality of cyber risk management processes, businesses should establish a collaborative cybersecurity ecosystem with their partners, suppliers and service providers. Even industry verticals can do this, or have it coordinated by industry bodies that set standards for things like cyber. To be effective, it would require data sharing agreements, industry consortia, and regulatory support to facilitate the exchange of critical information. There are already plenty of industry focused organizations out there that could work on amalgamating these data sets. ISACs like the FS-ISAC exist to protect the financial sector, so working with cyber insurers to provide this kind of data to everyone would make the overall process is cyber risk quantification much easier for all.
Call to Action for Risk Leaders
This entire process of cyber risk management needs an overhaul. We need to step up and remove the guesswork, stopping the flawed, subjective practices we use to provide advice to business leaders. By improving metrics collection and integrating empirical data with our expert judgment, we can finally come up with a solution that takes the guesswork out of investment and resource management and allows us to focus our efforts where it matters, where our organisations are at their weakest. However, it’s clear that this shift will not be easy. These methods are ingrained in everything we do, from the way we are trained to do our job as security professionals, to the way we report to our boards and leadership teams. But imagine a world where we have enhanced our security programs and optimized our resource allocation to the point where we can accurately measure cyber risk and demonstrate improvements through accurate evaluation of the environment.
For businesses, it is crucial to advocate for and adopt a more data-driven approach to risk management. I would encourage cyber insurance companies and leaders in industry bodies such as ISACs to share actuarial data and help build a more resilient cybersecurity ecosystem. Regulatory bodies must also support frameworks that encourage data sharing and collaboration, and last but not least, we need our cyber certification bodies to step up and adopt cyber risk quantification over the subjective flawed approach we have used for years.
