Quantifying Risk in Monetary Terms

Risk. Do you think of it as something negative, or as an opportunity?

What if you could quantify risks in dollar terms, and then manage them precisely? It might make you think about them more opportunistically; as something you had more control over and could leverage strategically. That’s the promise of risk quantification, and today, it’s a reality.

Leaving Heatmaps Behind

Risk has traditionally been measured in generic terms, often as red/yellow/green heat maps. While these charts provided some insight as to the level of risk, it’s just the tip of the iceberg.

Most Chief Information Security Officers (CISOs) and Chief Risk Officers (CROs) were initially relieved to measure cyber risks with these colour-coded heatmaps, that represented the best they had to determine threat levels, where to invest next, and where boards could take their foot off the gas pedal.

According to Deloitte, “Boards, executives, and the organisation at large recognise their fiduciary responsibilities to customers — and take those duties seriously. Yet, when it comes to identifying cyber risks and efficiently allocating resources towards mitigating them, the industry continues to struggle.”

The latest industry developments in cyber risk quantification now provide a more accurate measure to an organisation by assigning numerical dollar values. Providing a quantifiable measure on the impact of cyber hacks or external threats will help organisations avoid paying millions of dollars, if not more, in correcting losses and damages.

Here are three considerations to implementing a more strategic approach to quantifying risks.

Moving to Cyber Risk Currency with Advanced Technology

Today’s business environment generally consists of variations in risk scoring taxonomies across a single business. Harmonising risk management techniques and methods by driving toward a common risk score across cyber, operational risk, and resilience teams is critical to success. Companies need a risk score that is based on consistent factors and grounded in business context. A combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It can also help increase the agility and speed of remediation efforts.

Accurate computation of cyber risk in numerical terms leverages advanced statistical techniques such as Monte Carlo algorithms, which are a broad class of computational algorithms that rely on repeated random sampling to obtain numerical results.  They not only allow incorporations of varying uncertainties associated with cyber loss outcomes but also facilitate aggregation of different unrelated risk profiles. The result is a targeted understanding of which cyber risks are most critical and need the most attention. This in turn facilitates optimum utilisation of mitigation efforts to reduce the risk exposures. The use of advanced technology will have you well on your way to leaving heatmaps in the past.

Implementing Data from Multiple Points of an Organization

Taking data points from multiple sectors of an organisation and bringing all the data together leads to a singular number that gives a true idea of risk in a simplified monetary term. But ultimately, we find even greater importance in implementing a solidified risk quantification plan through preparing for the negative side of risk. With this proactive approach, not only are costly fines and monetary losses avoided, but organisations can steer clear of most real-time cyber issues.

Defining a clear monetary figure also proves pertinent in the working relationship between CISOs and boards of directors. It’s not too uncommon for the two sides to be in miscommunication about budget-related issues, with the board of directors perhaps having a difficult time seeing in real-time where that budget is being allocated. Quantifying risks leads to a more straightforward idea of where that budget is being used, which is useful to both the CISO and board of directors.

Through this integrated data solution, risk quantification provides the following benefits:

• Boards and executives better understand cyber risk exposure, understanding what is at stake, expressed in dollar value terms.
• CISOs get an accurate sense about the impact of cyber risks like data breaches, identify theft, and infrastructure downtime.
• Executive teams can prioritise cyber investments better, driving alignment between cyber programs and business goals, and plan for optimal insurance coverage.
• CISOs can develop a defensible justification for cyber investments, based on the risk quantification models’ response to newer additional controls.  

Why is Risk Quantification Important Now?

Standard and Poor’s Corp. released a report in late 2020 stating that “cyber insurance premiums, which now total about $5 billion annually, will increase 20 per cent to 30 per cent per year on average in the near future.” Investing in cyber risk quantification has emerged as a pillar of IT and cyber security and an indispensable value-add to control costs and make wise, analytics-based investment decisions.

For example, finite risk insurance companies currently underwrite cyber risk and provide cyber insurance. Securing coverage is already getting more challenging. Like any insurance policy, there are many caveats to consider including investing in a cyber quantification tool as a prerequisite for obtaining insurance coverage. In fact, the more you invest in the appropriate amount of cyber security controls and tools, the more likely you are to get access to the insurance products you need.

An additional perk is that you may find taking the appropriate steps to mitigate risk in the first place is far less costly than insurance. Quantifying risk means you can weigh the pros and cons of underwriting the risk and make more informed decisions about where to invest. This is especially important as cyber breaches increase along with premiums.

Cyber risk quantification is now firmly established as a key innovation and indispensable value-add to integrated risk management. Think of the business impact of making data-driven decisions based on risk exposure versus required investments. Security and risk professionals can gain an efficient basis for allocating cyber security budgets and limited resources to prioritise mitigation efforts.