Turning Cybersecurity Into a Profit Center With Effective Risk Estimation
April 21, 2020 • The Recorded Future Team
Understanding risk — and risk estimation, in particular — is critical in cybersecurity. Without it, you’re more likely to take actions and make investment decisions that just don’t make business sense.
What exactly is risk estimation, though, and how can it help security teams rebrand themselves as contributors to an organization’s bottom line?
What Is Risk in Cybersecurity?
One of the main problems with risk measurement in cybersecurity is that most people have a poor understanding of what risk actually is. That’s because risk is a loaded term, and most people have preconceived ideas about it based on their experiences outside the world of IT.
Ask your average cybersecurity professional and they’ll tell you that risk has something to do with damage and harm. For example:
- Damage to information systems or people
- Harm to brands or reputation
There’s a simple problem with these types of definitions: They aren’t rigorous enough to be used as a basis for business decision-making. In many industries — particularly those centered around finance and insurance — risk is taken extremely seriously. Organizations in these industries have entire teams devoted to calculating and tracking risk. The same can very rarely be said for cybersecurity.
So, as a starting point, let’s get clear on what risk is in the simplest possible terms: Risk is the potential for monetary loss. Quite simply, the risk associated with an event is equal to the chance that it will eventually lead to a reduction in profitability.
Cybersecurity as a Profit Center
What’s the number one reason why a cybersecurity team might be underfunded? Because cybersecurity is seen as a cost center — it doesn’t make any money for the business.
That can be changed when risk is properly calculated and accounted for. Once you accept that risk is directly tied to monetary loss, the question becomes, “How much does a cyber incident cost the business?”
For security teams, this means that every decision can be guided by the answers to three questions:
- If we take no action, how much money are we likely to lose? (e.g., from data breaches)
- If we do take the action, how much does it reduce the risk (e.g., how much less money are we likely to lose)?
- What is the cost of taking the action?
By answering these questions, security teams are speaking the language of business. Instead of being a cost center, the security team can clearly demonstrate how it helps to increase company profits. After all, if the security team weren’t there, the business would be in measurably worse shape.
This type of calculation is critical for demonstrating the business value of cybersecurity, and for helping non-technical leaders and executives understand what the security function does.
How to Estimate Risk in Cybersecurity
If estimating risk in cybersecurity was easy, everybody would be doing it, right?
On the face of things, estimating cybersecurity risk seems like an impossible task. After all, there’s little or no historical data relating to the new threats that arise each day. And, given the complexity of the threat landscape, building your own model that incorporates every detail needed to calculate cyber risk seems unfeasible.
Instead, risk estimation allows cybersecurity leaders to accurately predict and track cyber risk in financial terms. Risk estimation is about training the brain to accurately estimate a range of risk values within which the true value falls. This includes allowing for black swan-type events. Note that it’s not necessary to predict what the specifics of a black swan event might be, only to allow for its possibility.
The goal is to achieve 90% confidence in the estimated risk range, so the actual value falls within the range nine times out of 10. To produce a model for cybersecurity risk, all you have to do is to estimate ranges of monetary loss resulting from different cybersecurity events. You’ll never need to predict the exact loss, just a range of likely losses.
Improving Risk Estimation Capabilities
Of course, you can’t expect to be perfect at estimating risk on your first try. Estimation exercises are crucial to help train your brain and account for both under- and overconfidence.
Typically, a small proportion of people are underconfident when estimating risk ranges, leading them to produce ranges that are too large. This forces the organization to prepare for a potentially larger impact than is realistically likely to occur, leading to resource waste.
On the other hand, most people are overconfident, leading them to produce ranges that are too small. This increases the chance that a real-world event will fall outside the estimated range, and the organization won’t be prepared to deal with it.
Estimation training will help you to produce ranges that accurately represent the level of confidence you have in the information and knowledge available to you. They will also help you understand your natural bias — whether it is toward under- or overconfidence — and adjust accordingly. This type of trained risk estimation helps to fill the gaps left by imperfect or missing historical data.
Learning From Casinos and Investment Banks
No attempt to accurately calculate risk would be complete without a sturdy statistical analysis. When it comes to estimating the financial impact of a cyber incident, a lot can be learned from the techniques used by casinos and investment banks to forecast profits and losses.
What these types of organizations understand is that relying on traditional averages — mean averages, specifically — is a bad idea. While the average loss from a cyber incident might be $1 million, the range might be between $0.5 million and $1.5 million. Naturally, an organization needs to be prepared for a high-end event, not just an average event.
To determine the likely bottom- and top-end ranges for an outcome, casinos and investment banks use a technique called Monte Carlo modeling. This technique involves selecting one random value for each model input out of a specified range and calculating the resulting losses using a simple model.
As a simple example, a cyber incident that affects X assets, requires Y hours to resolve, and leads to Z breached records might have an estimated financial impact of $800,000.
This simulation can be repeated thousands (or even millions) of times, and the distribution of results represents the range of likely losses. This type of simulation is practical and easy to implement. In some cases, it can even be computed and updated using an Excel spreadsheet.
What You Need to Know About Risk-Based Cybersecurity
Recorded Future’s senior vice president of global intelligence, Levi Gundert, recently wrote and published a book on risk for cybersecurity leaders called “The Risk Business: What CISOs Need to Know About Risk-Based Cybersecurity.”
In the book, Gundert draws from his extensive career in cybersecurity risk management across the public and private sectors to share:
- A comprehensive case for risk-based cybersecurity, and how it contributes to business profitability
- How to accurately estimate risk in the real world (including the specifics of how to run Monte Carlo simulations)
- Why most cybersecurity frameworks aren’t based on risk, and what to do about it
- How strategic and operational threat intelligence can help your organization more accurately calculate and track cyber risk
- Why the true solution to reducing cyber risk lies in people (not technology), and how to make sure you hire and retain the best talent for your threat intelligence positions
Download your free copy of “The Risk Business” today.