Human Risk Management Risk Quantification Metrics

Risk Quantification for Cybersecurity Human Risk Management

Dec 13

Lev Lesokhin Lev Lesokhin is an experienced business technologist, a former software developer, consultant, and tech executive. Having started his career at MITRE, Lev has had many touch-points with cybersecurity thought leaders over the years. In his current role as OutThink's Executive Vice President for Technology and Analytics, he works with customers and industry leaders to build a quantitative framework for evolving security awareness into human risk management.

View Profile

In this article

Discover OutThink's Human Risk Intelligence

View Demo

There are many reasons to pursue risk quantification in Cybersecurity Human Risk Management. Part of the purpose of implementing Cybersecurity Human Risk Management is to take a more targeted and tailored approach to human-centric security. This requires metrics around people’s attitudes, behaviors, knowledge and various characteristics that can drive adaptive training and automated interventions. This quantification need not be managed manually and should be part and parcel of a modern Cybersecurity Human Risk Management platform for automated allocation of training content to users and automated employee access controls.

Cybersecurity Human Risk Management Metrics Improve Reporting

Thanks to risk quantification, the head of CHRM in an organization is able to generate much more meaningful reporting and insightful data for the CISO, business leaders, and even the board. Whereas legacy security awareness approaches would enable security teams to only measure completion rates, phishing click rates, and, in some cases, reporting rates, a modern Cybersecurity Human Risk Management platform enables the measurement of human risk exposure in the organization and how that overall level changes over time.

Measuring Cybersecurity Human Risk in an Organization

We caught up with Matt Webster, a CISO at Cyvergence and industry advisor, in a recent episode of the Engage & Secure podcast. Matt shared some of his thoughts around the topic of risk quantification with us, which we thought we could summarize briefly in the remainder of this post.

Business Impact Analysis of Cybersecurity Human Risk Quantification

One of the core practices in quantifying risk is conducting Business Impact Analyses (BIAs). These are studies to determine what would happen in case of disruption in technology capability, or loss of data, or an intrusion into the network. The focus of a BIA on risk assessment and mitigation allows these studies to better identify vulnerabilities and their potential effects, offering insights that extend beyond traditional operational evaluations.

Differentiating Cyber Risk from Operational Risk

While cyber risk and operational risk share some overlap, they remain distinct domains. Cyber risk involves specific threats such as data breaches or ransomware attacks and includes components like legal liabilities and forensic investigations. In contrast, operational risk affects the broader business workstreams and often includes black swan events, which are challenging to quantify. The two share about 50% of overlap, yet require different mitigation strategies.

Disaster Recovery (DR) Planning in Cybersecurity Human Risk Management

Disaster recovery is the organization’s contingency to operational risk. DR planning should primarily reside within IT teams. These plans help organizations map out their current state, identifying areas for improvement. Incorporating tabletop exercises, which simulate real-world scenarios, is critical. These exercises address business continuity problems and ensure effective disaster response.

Defining Incidents in Cybersecurity Human Risk Management

Determining what constitutes a security incident can be nuanced. For example, is an NMAP scan against a website—a common reconnaissance technique—considered an incident? Similarly, distinguishing between a broad scan and a specialized “Christmas scan” can complicate incident filtering for Security Operations Centers (SOCs). Clear criteria for incident classification help SOCs focus on genuine threats. The number of incidents for an organization will depends on what is characterized as an incident.

For anything that gets catalogued as an incident of a sufficiently high urgency, it’s useful to conduct a Root Cause Analysis (RCA), which is typically the domain of IT teams rather than the Security team. Conducting thorough RCAs ensures that the underlying causes of incidents are identified and addressed, preventing recurrence.

The Role of Enterprise Risk Management (ERM) in Cybersecurity Human Risk Management

Enterprise Risk Management integrates cybersecurity into broader risk considerations. Key players include:

Chief Counsel: Handles legal issues, including privacy and regulatory compliance.

Chief Risk Officer (CRO): Focuses on evaluating and managing risk.

Chief Financial Officer (CFO): Assesses financial exposure and value at risk.

Internal Audit: Internal audits often address Environmental, Social, and Governance (ESG) issues alongside cybersecurity. Organizations increasingly recognize the interconnected nature of ESG concerns and cyber risk.

Cybersecurity Human Risk Quantification Teams

Larger organizations and some cyber-insurance companies have dedicated teams for risk quantification. These teams are often involved in BIAs and work with business analyst teams to understand value at risk data, categorizing potential impacts as low, medium, or high. Effective quantification supports strategic decision-making and building business cases for projects where risk is a significant enough consideration.

Cybersecurity Human Risk Management Benchmarks

When it comes to incident benchmarks, the Verizon DBIR is a good source of current data. It is the largest and most reputable source in the industry and it is updated each year. Some interesting benchmarks are data points such as the cost of different types of breaches: for example, a BEC breach typically costs organizations $50k. The median loss for ransomware is similar at $46k per breach. Of course, these are broad industry numbers, the actual costs for an organization will depend on their value at risk, number of customers, their business model and revenues.

Cybersecurity Human Risk Management Value at Risk Analysis

Understanding value at risk involves evaluating both the maximum loss scenario and the minimum likely loss. This helps organizations prepare for worst-case scenarios while setting realistic expectations for typical outcomes.

To align on discussions about cyber or operating risk, value at risk metrics like cost per record breached or cost per day of downtime frequently emerge. These numbers illustrate the tangible financial impact of cyber incidents. Unfortunately there are no known repositories of this type of data at the moment. If anywhere, these data exist in reference tables of cyber-insurance actuarial models.

Building the Business Case for Cybersecurity Human Risk Management

Developing a business case for cybersecurity investments involves highlighting benefits gained from these investment. The benefits will fall into several categories, such as:

Time saved for users and security teams

Risk reduction

Operational efficiency

Reduced cybersecurity insurance premiums

All of these categories need to be translated into dollars. A straightforward exercise for staff hours or days, using fully loaded FTE cost. Less straightforward for cybersecurity risk or operational risk, hence the discussion above.

When it comes to cybersecurity, every dollar invested should yield substantial returns. Organizations should seek a minimum return of $3 for every $1 invested, though in some instances that number can be as high as $8-10. Not only does better security enhance organizational resilience, but it also can provide measurable financial benefits.

Enjoyed this blog post? Share it with someone!Share