There are many reasons to desire quantification in Cybersecurity Human Risk Management. Part of the purpose of implementing CHRM is to take a more targeted and tailored approach to human-centric security. This requires metrics around people’s attitudes, behaviors, knowledge and various characteristics that can drive adaptive training and automated interventions. This quantification does not need to be managed manually and can be internal to a modern CHRM platform for automated allocation of content and controls to the employees being protected. This is a fundamental level of quantification that forms the basis of the CHRM program.
Out of this quantification, the head of CHRM in the organization is, however, able to generate much more meaningful reporting and engaging data for reporting to the CISO, business leaders and even the board. Whereas legacy security awareness approaches would enable the team to only measure completion rates, phishing click rates and in some cases reporting rates, with a modern CHRM platform it is finally possible to measure the level of human risk exposure in the organization and how that overall level changes with time.
Measuring the level of risk in the organization
We caught up with Matt Webster, a CISO at Cyvergence and industry advisor in a recent episode of the Engage & Secure podcast. Matt shared some of his thoughts around the topic of risk quantification with us, which we thought we could summarize briefly in the remainder of this post.
Business Impact Analysis
One of the core practices in quantifying risk is conducting Business Impact Analyses (BIAs). These are studies to determine what would happen in case of disruption in technology capability, or loss of data, or an intrusion into the network. The focus of a BIA on risk assessment and mitigation allows these studies to better identify vulnerabilities and their potential effects, offering insights that extend beyond traditional operational evaluations.
Differentiating Cyber Risk from Operational Risk
While cyber risk and operational risk share some overlap, they remain distinct domains. Cyber risk involves specific threats such as data breaches or ransomware attacks and includes components like legal liabilities and forensic investigations. In contrast, operational risk affects the broader business workstreams and often includes black swan events, which are challenging to quantify. The two share about 50% of overlap, yet require different mitigation strategies.
Disaster Recovery (DR) Planning
Disaster recovery is the organization’s contingency to operational risk. DR planning should primarily reside within IT teams. These plans help organizations map out their current state, identifying areas for improvement. Incorporating tabletop exercises, which simulate real-world scenarios, is critical. These exercises address business continuity problems and ensure effective disaster response.
Incidents
Determining what constitutes a security incident can be nuanced. For example, is an NMAP scan against a website—a common reconnaissance technique—considered an incident? Similarly, distinguishing between a broad scan and a specialized “Christmas scan” can complicate incident filtering for Security Operations Centers (SOCs). Clear criteria for incident classification help SOCs focus on genuine threats. The number of incidents for an organization will depends on what is characterized as an incident.
For anything that gets catalogued as an incident of a sufficiently high urgency, it’s useful to conduct a Root Cause Analysis (RCA), which is typically the domain of IT teams rather than the Security team. Conducting thorough RCAs ensures that the underlying causes of incidents are identified and addressed, preventing recurrence.
The Role of Enterprise Risk Management (ERM)
Enterprise Risk Management integrates cybersecurity into broader risk considerations. Key players include:
- Chief Counsel: Handles legal issues, including privacy and regulatory compliance.
- Chief Risk Officer (CRO): Focuses on evaluating and managing risk.
- Chief Financial Officer (CFO): Assesses financial exposure and value at risk.
- Internal Audit: Internal audits often address Environmental, Social, and Governance (ESG) issues alongside cybersecurity. Organizations increasingly recognize the interconnected nature of ESG concerns and cyber risk.
Risk Quantification Teams
Larger organizations and some cyber-insurance companies have dedicated teams for risk quantification. These teams are often involve din BIAs and work with business analyst teams to understand value at risk data, categorizing potential impacts as low, medium, or high. Effective quantification supports strategic decision-making and building business cases for projects where risk is a significant enough consideration.
Benchmarks
When it comes to incident benchmarks, the Verizon DBIR is a good source of current data. It is the largest and most reputable source for this in the industry, and it is updated each year. Some interesting benchmarks are data points such as the cost of different types of breaches, e.g., a BEC breach typically costs organizations $50k. The median loss for ransomware is similar at $46k per breach. Of course, these are broad industry numbers, the actual costs for an organization will depend on their value at risk, number of customers, their business model and revenues.
Understanding value at risk involves evaluating both the maximum loss scenario and the minimum likely loss. This helps organizations prepare for worst-case scenarios while setting realistic expectations for typical outcomes.
To align on discussions about cyber or operating risk, value at risk metrics like cost per record breached or cost per day of downtime frequently emerge. These numbers illustrate the tangible financial impact of cyber incidents. Unfortunately there are no known repositories of this type of data at the moment. If anywhere, these data exist in reference tables of cyber-insurance actuarial models.
Third-Party Risk Management
Third-party risk comes in multiple forms. It could be the Software Bill of Materials (SBOM) of purchased technology, it can be unsecure IoT components in purchased equipment, or it can be services vendors. The best approach is to flag third parties as part of a BIA or other risk calculations, and assign the risk values accumulated by each third party. Assessing which metrics and risk factors apply to external partners is critical for maintaining a secure supply chain.
Business Case for Cybersecurity
Developing a business case for cybersecurity investments involves highlighting benefits gained from these investment. The benefits will fall into several categories, such as:
- Time saved for users and security teams
- Risk reduction
- Operational efficiency
- Reduced cybersecurity insurance premiums
All of these categories need to be translated into dollars. A straightforward exercise for staff hours or days, using fully loaded FTE cost. Less straightforward for cybersecurity risk or operational risk, hence the discussion above.
When it comes to cybersecurity, every dollar invested should yield substantial returns. Organizations should seek a minimum return of $3 for every $1 invested, though in some instances that number can be as high as $8-10. Not only does better security enhance organizational resilience, but it also can provide measurable financial benefits.
