Cyber risk quantification

Cyber risk quantification involves the application of risk quantification techniques to an organization's cybersecurity risk. Cyber risk quantification is the process of evaluating the cyber risks that have been identified and then validating, measuring and analyzing the available cyber data using mathematical modeling techniques to accurately represent the organization's cybersecurity environment in a manner that can be used to make informed cybersecurity infrastructure investment and risk transfer decisions. Cyber risk quantification is a supporting activity to cybersecurity risk management; cybersecurity risk management is a component of enterprise risk management and is especially important in organizations and enterprises that are highly dependent upon their information technology (IT) networks and systems for their business operations.

One method of quantifying cyber risk is the value-at-risk (VaR) method that is discussed at the January 2015 World Economic Forum meeting. At this meeting, VaR was studied and researched and deemed to be a viable method of quantifying cyber risk.

A well known framework for cyber risk quantification is called FAIR^TM ( Factor Analysis of Information Risk). The FAIR Institute is a non-profit professional organization committed to furthering the science of cyber and operational risk measurement and management.

Cyber-Risk Quantification can be an automated or software supported process allowing Users to construct mathematical models to quantify Cyber-Security risks. Cyber risk quantification has gotten increased attention in 2022 with Forrester research analysts beginning to cover the space. Their recent report, The Emerging Cyber Risk Quantification Market: When CISOs Need Decisions, Not More Dashboards highlights the FAIR Model, as well as new entrants in the space who are taking different approaches. One such vendor i
Axio Global
which raised $23M to help companies quantify cyber risk.

Practical Implementations

Cyber risk quantification has been used in a variety of practical applications, including:

# Cyber insurance
# Cyber Security Return on Investment
# Software Mitigation Costs {{Cite web, title=A Model of Information Security and Competition, date = August 2021, ssrn = 3928754, url=https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3928754, url-status=live, last1 = De Corniere, first1 = Alexandre, last2 = Taylor, first2 = Greg, archive-url=https://web.archive.org/web/20211026115635/https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3928754 , archive-date=October 26, 2021

Mathematical definition

The mathematical definition of Cyber-Risk is as follows:
* Cyber-Risk = 1 - Cyber-Confidence

'Cyber-Confidence' is / are the actual executed tests which have passed. This value can be converted to a statistical probability & the associated Cyber-Risk calculated:
* Example-1: 'A certain number' of tests have been executed & passed. Let's imagine that it yields a Defect-Free Confidence of 97.43%. Answer: Cyber-Risk = 2.57%.
* Example-2: All 65,536 TCP ports & 65,536 UDP ports are confirmed to be dead or inactive on an asset; how resistant to penetration is it ? Answer: Cyber-Confidence = 99.83%, Cyber-Risk = 0.17%
Typically, this form of Cyber-Confidence &/or Cyber-Risk estimation is termed Testimation because:
* It can be applied to estimate the number of tests required for any desired level of Cyber-Confidence
* It can be applied to estimate the Cyber-Confidence (& Cyber-Risk) based upon the number of tests which have actually been executed & passed

See also

* Center for Internet Security
* ISO/IEC 27001
* ISO/IEC 27002
* NIST Cybersecurity Framework
FAIR^TM (Factor Analysis of Information Risk)
 
A quantitative bow-tie cyber risk classification and assessment frameworkBetter Quantifying Cyber Exposure Will Help Determine Risk Finance Needs

References

External links

World Economic Forum: Partnering for Cyber Resilience - Towards the Quantification of Cyber Threats

Risk management
Computer security
Risk analysis