Maksim Kabakou - Fotolia

Security Think Tank: Financial loss as a key security risk indicator

What should be the key cyber security risk indicator for any business?

Key risk indicators (KRIs) are measurements that help monitor an organisation’s risk and inform how it can be minimised to acceptable levels. As a reporting tool, KRIs enable the security team to capture the attention of executive management and other key stakeholders. If the indicator cannot be measured, then it cannot be used to track risk. If executive management is not concerned by the information that the indicator discloses, it is unlikely to be acted on.

Financial loss represents a common language used across and within organisations, as well as with external parties such as regulators and insurers. Executive management speaks finance and fears loss. Loss can be measured, tracked and adjusted. By modelling and simulating financial loss as part of a quantitative risk assessment, it becomes the key indicator for an organisation’s cyber risk.

There are a number of other indicators that significantly affect the financial loss figure that should be tracked and monitored too, but the headline financial loss figure is the key cyber risk indicator.

It is often the case that executive management does not fully understand the significance of a risk when a threat is rated “high” as it will cause a system outage for 72 hours with a further 48 hours to fix. However, they will understand the risk if told that the organisation will lose £1,500,000 next year due to cyber risk. Such an indicator is meaningful to stakeholders and comparable to other competing concerns. From here, subject to the executive management’s risk appetite, budget can be allocated to remediate the identified cyber risk to acceptable levels.

Calculate the cost

Producing this KRI can be achieved through scenario-based modelling in quantitative risk assessments performed as part of the wider information security management system (ISMS). Quantitative assessments involve financial valuations of business assets and simulations of different loss events to model the probable financial impacts resulting from security incidents.

To model scenarios, random number generators – such as Monte Carlo simulations – are used to produce thousands of possible outcomes that can occur based on the quantitative data provided as part of the assessment. A common output from scenario modelling is the loss exceedance curve.

“By modelling and simulating financial loss as part of a quantitative risk assessment, it becomes the key indicator for the organisation’s cyber risk”
Mike Yeomans, Information Security Forum

To generate a scenario, organisations should identify a threat event to simulate, before estimating the number of times (frequency) the threat will affect the organisation over a defined period (typically one year). This frequency should be multiplied by the estimated cost (loss) this threat will cause. The formula produced to do this is simply “risk = frequency x loss”.

Post-incident costs can vary significantly from system repair or replacement and lost opportunity to a fall in share value and legal implications. Frequency and loss data should be obtained from various sources, including incident logs, suppliers, security information and event management (SIEM) systems and calibrated estimates from experienced practitioners.

To apply a Monte Carlo simulation to the above formula, probabilistic and statistical maths is used to produce the many possible outcomes that can occur given the uncertain nature of risk. Through an analysis of the simulation outcomes (or results), a single forecast financial loss figure is produced that can be presented to executive management.

This figure can serve as the key cyber risk indicator.

Each scenario represents a different threat and therefore the financial loss forecasted for each will vary. Remediation efforts should be prioritised based on the size of the estimated loss. Executive management and other stakeholders need to decide what level of potential loss is acceptable and how much they are prepared to spend to mitigate the risk.

Scenarios should be refined and updated to allow organisations to track risk over time and account for newly budgeted security controls. By calculating a single forecasted financial loss figure, and using it as the key cyber security risk indicator, organisations have the benefit of being able to measure, monitor and control risk in a transparent and comprehensive way.

This was last published in March 2019

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.