Cyber risk quantification - why bother?
“The only man I know who behaves sensibly is my tailor; he takes my measurements anew each time he sees me. The rest go on with their old measurements and expect me to fit them." – George Bernard Shaw
Very few CISOs' and cyber security professionals that we meet are measuring their cyber security performance and impact. That means just about everyone has room to improve, and just about everyone is doing something that is not working as well as it could be.
Boards of Directors' and business leaders recognise the danger that cyber risk represents but are concerned that they lack information in order to make informed decisions about cyber risk. Business leaders' need higher quality decision support to judge levels of risk and allocate appropriate resources accordingly.
Cyber risk quantification means a more meaningful and measured conversation about cyber risk
Cyber Risk Quant addresses the problem of ‘immeasurement’. Immeasurement is the absence of a clear means of assessing performance, progress, success or impact on the job. Using cyber risk quantification we design effective management information systems that specifically provide the information that cyber security decision making needs.
Continuously evaluate the risk landscape and priorities against changing business objectives;
Evaluate and communicate risks in line with a defined risk tolerance;
Identify and justify improvements to, or transformation in, cyber security capabilites;
Measure and compare various threats and risk events on an apples-to-apples basis;
Measure the contribution of cyber security capabilities to risk mitigation;
A basis to allocate limited resources amongst various security investments;
A basis of quantitative analysis justifying our cyber security investment requests.
A big part of dealing with immeasurement is introducing methods for quantifying risk, including its sub components.