How to measure anything in cybersecurity risk? This article is about how to calculate anything in cybersecurity risk. In other words, this article presents a comprehensive framework for knowledge and estimating the risk from cyberattacks on an entity.
How to Measure Anything in Cybersecurity Risk?
The majority of cyberattacks are financially motivated. So we should seek to measure and limit financial risks, right? Not necessarily. If you think that way, you’re doing risk management wrong.
One of the biggest mistakes organizations makes when managing risk is thinking that all risks can be managed using the same approach. You can’t do that with, say, fire insurance and flood insurance.
By the same token, it’s a mistake to treat cybersecurity risks in the same way as other financial risks. Cybersecurity is a different beast altogether.
The goal of cybersecurity is to reduce risk. But there’s a problem with that: Cybersecurity is hard to get right.
Cyberattacks are growing in sophistication, frequency, and damage. What’s more, the adversaries are getting better at hiding their identities.
Defining the Threats
The first step in measuring cybersecurity risk is defining the threats to the organization. In theory, that’s a straightforward task:
Every cybersecurity professional knows what security risks to look for. In practice, however, the process is more difficult.
It turns out that defining the threats is hard because it’s not easy to know how much damage an attack might inflict.
Many factors influence the damage an attack can cause. The most important factor is the value of the data or systems involved.
For example, if your organization is a large financial institution, then a cyberattack on your systems could disrupt millions of dollars in transactions and potentially cost your customers millions of dollars in losses.
Launch an Attack
Another major factor is how easy it is to launch an attack. For example, an attack on a nuclear power plant is more dangerous than an attack on a fast-food restaurant.
And an attack on one nuclear power plant is more dangerous than an attack on a bunch of nuclear power plants. Why? Because launching an attack on multiple facilities would be harder to pull off.
That’s why the U.S. government uses the word “facility” instead of “building” when referring to critical infrastructure. For example, you have a petroleum refinery and a natural gas transmission company in the same building.
You might think of them as separate buildings, but the Department of Homeland Security views them as a single facility. And the threat is that much greater if an adversary can launch attacks against multiple facilities.
Computer Systems
A similar logic applies to attacks on computer systems. An attack on a single computer is not as dangerous as an attack on a network of computers.
And it’s worse if an adversary can launch an attack on multiple networks without being detected. For example, suppose you worked for a large city government and the head of public works wanted to use network infrastructure from a rival city government.
You might think this was a good idea, but it would be a nightmare for the IT department. They’d have to set up two infrastructures with overlapping functionality and carefully manage the data flowing between them.
Conclusion
So what does this mean? It means that the more difficult it is to launch an attack, the greater the damage will be if it succeeds. And the more valuable the data involved, the more damage there will be.
That’s why you can’t treat cybersecurity risk like any other kind of financial risk. You have to treat it differently.