Cyber risk quantification

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. Please help improve this article by introducing more precise citations. (January 2017) (Learn how and when to remove this message) The topic of this article may not meet Wikipedia's general notability guideline. Please help to demonstrate the notability of the topic by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond a mere trivial mention. If notability cannot be shown, the article is likely to be merged, redirected, or deleted. Find sources: "Cyber risk quantification" – news · newspapers · books · scholar · JSTOR (January 2017) (Learn how and when to remove this message) (Learn how and when to remove this message)

Cyber-Risk Quantification involves the application of risk quantification techniques to an organization's Cyber-Security Risk. Cyber-Risk quantification is the process of evaluating the Cyber-Risks that have been identified and then validating, measuring and analysing the available Cyber-Data using mathematical modelling techniques to accurately represent the organization's Cyber-Security environment in a manner that can be used to make informed Cyber-Security infrastructure investment and risk transfer decisions. Cyber-Risk Quantification is a supporting activity to Cyber-Security Risk Management; Cyber-Security Risk Management is a component of Enterprise Risk Management and is especially important in organizations and enterprises that are highly dependent upon their Information Technology (IT) networks and systems for their business operations.

One method of quantifying Cyber-Risk is the Value-at-Risk (VaR) method discussed at the January 2015 World Economic Forum meeting (see external reference below). At this meeting, VaR was investigated and deemed to be a viable method of quantifying Cyber-Risk; other methods of quantifying Cyber-Risk also exist (refer to sections below). However, to quantify Cyber-Risk, one must first define Cyber-Risk. Cyber-Security concerns (e.g. system penetration by external actors) are only one component of Cyber-Risk; other components of Cyber-Risk include Functional & Non-Functional triggers related to the programme code itself (e.g. Internet Banking transacts inappropriately or unintentionally). Indeed, all Cyber-Risk may be characterised by a single common description; that is, they all represent undiscovered defects (of 'some' form). If Cyber-Risks are known, they're no longer Risks, they're Issues & can be countered or prevented.

A commonly overlooked requirement pertaining to Cyber-Risk is that one must first know one's Cyber-Confidence. Given that Risk represents unknowns, one must first quantify the knowns (i.e. the Confidence) in order to calculate the unknowns. To quantify Cyber-Risk prior to quantifying Cyber-Confidence is meaningless (refer to Mathematical Definition). Unfortunately & most often, the need to understand Cyber-Confidence prior to determining Cyber-Risk is bypassed:

• Practical analogy:
  • Before crossing a busy street, one assesses one's Confidence of being able to execute the manoeuvre prior to assessing the Risk of doing so
• Important takeaways:
  • Understanding Cyber-Confidence always precedes understanding Cyber-Risk
  • Cyber-Risk can only ever be calculated, it can never be measured directly because it represents 'the unknown'; however, Cyber-Risk can be predicted utilising Mathematics (refer to Tools section)
  • The equation shown in the Mathematical Definition section contains two variables (Cyber-Risk & Cyber-Confidence). If both are unknown, the equation cannot be solved; hence, knowledge of at least one of them is always required

Any device or apparatus connected to the internet is part of an infinitely large Information System (e.g. Smart-Phone, Smart-Watch, PC etc.). This means that the centre of any infinitely large Information System is wherever the User happens to access it. For example, if a User accesses his / her Smart-Watch for weather information, he / she is literally at the centre of an infinitely large Information Universe. A practical example of this is The Cosmos:

• Question = Where is the centre of The Universe?
• Answer = Everywhere, due to Cosmological Space-Time Expansion

The same is true of infinitely large Information Systems, but rather than the expansion of Space-Time, computerised systems deal with the expansion of Information-Space. Since the boundary of the internet is instantaneously indefinable & expanding non-linearly (i.e. more devices come on-line daily), the Internet takes the form of an infinitely large Information System. Any sufficiently large Information Sub-System connected to the Internet (e.g. Corporate Systems, Government Systems, Military Systems etc.), may be mathematically described as its own Universe interacting with a Multiverse (a population of Universes). Consequently, the larger an Information System becomes, the more randomly distributed the Information-Space becomes, & the easier it becomes to model mathematically. Therefore, for an infinitely large Information Sub-System, the Functional Processes coded within it obey a Statistical Distribution (see below):

• A Functional Process (in this context) is defined as a string of Function Points executed by a User in order to perform their work (job)

Cyber-Risk Quantification can be an automated or software supported process allowing Users to construct mathematical models to quantify Cyber-Security Risks; examples are:

• Statistical Mechanics & Probability Theory (left)
• Common Vulnerability Scoring System Calculator (NIST) (FIRST)

The mathematical definition of Cyber-Risk is as follows:

• Cyber-Risk = 1 - Cyber-Confidence

'Cyber-Confidence' is / are the actual executed tests which have passed. This value can be converted to a statistical probability & the associated Cyber-Risk calculated:

• Example-1: 'A certain number' of tests have been executed & passed. Let's imagine that it yields a Defect-Free Confidence of 97.43%. Answer: Cyber-Risk = 2.57%.
• Example-2: All 65,536 TCP ports & 65,536 UDP ports are confirmed to be dead or inactive on an asset; how resistant to penetration is it ? Answer: Cyber-Confidence = 99.83%, Cyber-Risk = 0.17%

Typically, this form of Cyber-Confidence &/or Cyber-Risk estimation is termed Testimation because:

• It can be applied to estimate the number of tests required for any desired level of Cyber-Confidence
• It can be applied to estimate the Cyber-Confidence (& Cyber-Risk) based upon the number of tests which have actually been executed & passed

An Australian Company^[1] has developed specialised technology to Predict & Measure Cyber-Risk in this manner.

• Center for Internet Security
• ISO/IEC 27001
• ISO/IEC 27002
• NIST Cybersecurity Framework

• World Economic Forum: Partnering for Cyber Resilience - Towards the Quantification of Cyber Threats
• Association for Financial Professionals
• Common Vulnerability Scoring System Calculator (NIST)
• Common Vulnerability Scoring System Calculator (FIRST)