How do I measure IT security risk?
Risk is a measure of the uncertainty of an event occurring. The key is to focus on how probable or likely an event could be expected to occur, rather than what events are possible.
From the reactions I get, it’s clear that cybersecurity risk reporting is a new component for many people. Whilst I accept that cyber security does require a significant amount of technical expertise, security risk reporting should be treated no differently to other business units such as operations and finance which also require particular skills and importantly, the risk reporting metric should be common too.
Although cyber security is accepted as a business cost, many organisations fail to consider how to assign accountability and wrongly presume that security has always been a part of an IT manager’s responsibility.
IT professionals are very familiar with maturity ratings, which allow comparisons to industry best practice and often use a tick box approach, yet for security this only assists and is not a measure of risk.
I have seen a lot of variety in presentation of security risk, ranging from ‘gut feelings’ to detailed security metrics such as the number of software patches and system vulnerabilities (which are useful tools but crucially mean nothing to decision makers) and whilst these can be useful internal measures, they are insufficient.
How to present cyber security risk?
To enable decision makers to compare and prioritise the various risks and measures, each business unit should present risk as a liability in cash terms.
I accept that IT professionals say it’s hard or impossible for them to quantify cyber risk in financial terms perhaps because they haven’t been asked to do this before. But in my experience, IT technicians are comfortable describing uncertainty using technical obfuscation, yet these complex metrics are ineffective because they do not describe the risk in the same way the rest of the business presents risk.
Good department managers can answer detailed questions about potential losses in cash terms to allow decision makers to maintain an acceptable level of risk. Risk management and internal controls help decision makers understand the risks they are exposed to and put controls in place to counter threats.
Quantification of cyber risk
Risk quantification is a necessary part of any risk management programme, and for information security, risk management can be centred around the confidentiality, integrity, and availability of data.
An effective measure to quantify risk is by using the standard Factor Analysis of Information Risk, commonly known as the FAIR model, which assesses information risk in financial terms.
Business disruption, loss of intellectual property, or a breach of confidential information leading to loss of sales, loss of market share, legal costs, additional work costs are all quantifiable.
The FAIR model is an effective method for gathering data about cybersecurity events from company and industry sources, for associating cash values for different forms of data loss.
According to FAIR, risk is the probable magnitude and probable frequency of a future loss. Both factors are important, and a high magnitude with low frequency can be a low risk and a high frequency with low magnitude can be considered as a high risk.
Aligning with the FAIR model requires a clear definition of where and how the organisation generates revenue makes the most money and creates the most value, therefore where the most financial impact would fall in the event of a cyber-attack.
It is important to understand the types and frequency of likely cyber events that cause a loss. Having access to logs of past security related events, combined with a plan and method for dealing with future threats will better describe the risks and protect your organisation.
We can help, if you’d like us to provide an assessment of your organisation’s IT security risk, please feel welcome to contact us.
Creating a process to measure IT security risks is a straightforward process. Our project approach provides task objectives which can be generally summarised as
- Define the assets
- Determine legal obligations
- Attribute values based on valuation and liability
- Associate grades of loss
- Group threats by characteristic
- Calculate costs of recovery and remediation
Cyber Risk Summary
Risk is a measure of uncertainty and should not focus on what is possible, but on the probability of an event.
Although recent and prominent attacks have resulted in data being encrypted for ransom, the mitigation to protect against this risk is comparatively small. Yet a disproportionate amount of decision making is devoted to resisting this single threat whilst ignoring others, leading to an illusion of risk reduction.
The problem is as much about IT culture, with self policing of risk without independent oversight, and I advocate that the culture of security management and event reporting needs to be changed to provide meaningful insight.
Sytec use a blend of skills to handle the management and security of systems, we are good at this. If you would like us to get involved and assist with an introduction to IT risk management, an asset review or to conduct an audit, please get in touch.
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are seperated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to security certified engineers