Jump to content

Cyber risk quantification

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Cvnxena (talk | contribs) at 17:47, 8 September 2020 (explained more clearly the initial terminology of cyber risk quantification as it has evolved since this was posted. Also updated to include newer frameworks being used currently in Cyber security.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Cyber risk quantification is the process of turning risk into a mathematical or financial figure in order to make more informed infrastructure or risk transfer decisions based on the level of exposure in the organization. Cyber risk quantification involves evaluating the cyber risks that have been identified during risk assessment, and then validating, measuring and analyzing the available cyber data to give a percentage of risk or financial value of the impact of the risk. This data is then used in decision-making by board members or 'non-technical' decision-makers. Cyber risk quantification is a supporting activity to cybersecurity risk management; cybersecurity risk management is a component of enterprise risk management and is especially important in organizations and enterprises that are highly dependent upon their information technology (IT) networks and systems for their business operations.

One method of quantifying cyber risk is the value-at-risk (VaR) method that is discussed at the January 2015 World Economic Forum meeting (see external reference below). At this meeting, VaR was studied and researched and deemed to be a viable method of quantifying cyber risk.

A newer and simpler method of quantifying cyber risk is using the Boardish [1] framework that was released in 2019 that extends the works of the NIST framework for risk assessment to include the quantification element. The analytical formula was the first of its kind to allow quantification into financial impact figures (money) rather than the traditional percentage mathematics. This has since made the quantification process more efficient, and allowed many businesses to reduce the time spent on communicating technical risk to decision-makers and speeding the process of budgeting and risk mitigation.

Tools

Cyber-Risk Quantification can be an automated or software supported process allowing Users to construct mathematical models to quantify Cyber-Security risks; examples are:

  • Statistical Mechanics & Probability Theory

Mathematical definition

The mathematical definition of Cyber-Risk is as follows:

  • Cyber-Risk = 1 - Cyber-Confidence

'Cyber-Confidence' is / are the actual executed tests which have passed. This value can be converted to a statistical probability & the associated Cyber-Risk calculated:

  • Example-1: 'A certain number' of tests have been executed & passed. Let's imagine that it yields a Defect-Free Confidence of 97.43%. Answer: Cyber-Risk = 2.57%.
  • Example-2: All 65,536 TCP ports & 65,536 UDP ports are confirmed to be dead or inactive on an asset; how resistant to penetration is it ? Answer: Cyber-Confidence = 99.83%, Cyber-Risk = 0.17%

Typically, this form of Cyber-Confidence &/or Cyber-Risk estimation is termed Testimation because:

  • It can be applied to estimate the number of tests required for any desired level of Cyber-Confidence
  • It can be applied to estimate the Cyber-Confidence (& Cyber-Risk) based upon the number of tests which have actually been executed & passed

See also

References

  1. ^ "Boardish - IT and Cyber That Speaks The Board's Language". Boardish. Retrieved September 8, 2020.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Cyber_risk_quantification&oldid=977410852"