News & Blogs

Beyond the Numbers: Quantifying Cyber Risk for Strategic Business Decisions

Global · · normanmarks.wordpress.com

This article challenges the conventional approach to quantifying cyber risk, arguing that a single monetary figure is insufficient for effective decision-making. It advocates for a business-centric perspective, focusing on the impact of cyber incidents on enterprise objectives and guiding strategic investments in cybersecurity. Internal audit and assurance professionals should consider how their cyber risk assessments align with business goals and facilitate actionable insights for leadership.


The Imperative of Business-Centric Cyber Risk Quantification

The author, Norman Marks, emphasizes that the primary purpose of quantifying cyber risk is not merely to arrive at a monetary figure, but to answer critical business questions. Specifically, organizations need to determine if action is required to mitigate risk to business objectives and how much to invest in cybersecurity, considering various constraints. These constraints include the effectiveness of available options, diminishing returns on investment, resource availability, competition for resources, liquidity needs, and the evolving threat landscape. A single, isolated dollar value, such as $420 million, lacks context and actionable meaning for executive leadership and boards.

Shifting Focus from Assets to Enterprise Objectives

Marks critiques methodologies like FAIR and ISO for their focus on quantifying the "effect on information assets." Instead, he advocates for assessing the "adverse effect of a breach on the achievement of enterprise objectives." This shift in perspective acknowledges that a cyber breach can have a range of potential effects, each with its own likelihood, rather than a single, fixed impact. Furthermore, different types of breaches (e.g., ransomware, data theft, disruption) will have distinct effects and likelihood distributions. Key factors to consider in this broader quantification include the frequency and duration of unacceptable effects, the time to discovery and remediation, and the likelihood of multiple concurrent breaches.

A Practical Approach for Boards and Executives

For boards and CEOs, Marks proposes a practical, scenario-based approach. This involves the CISO collaborating with other executives (CIO, CFO, COO) to define scenarios that would have an unacceptable impact on the business and its objectives. For example, a ransomware attack shutting down an ERP system for an extended period. The discussion would then revolve around the likelihood and cost of such scenarios, the acceptability of the risk, and the most effective and business-sensible preventative or mitigating actions. This approach moves beyond technical vulnerabilities and threats, directly addressing the impact on business outcomes and guiding strategic investment decisions. It ensures that cybersecurity discussions are framed within the context of overall business strategy and objectives, making them more relevant and actionable for leadership.

  • Quantify cyber risk to answer business questions, not just for a number.
  • Focus on the impact of breaches on enterprise objectives, not just information assets.
  • Consider a range of potential effects and their likelihoods, not a single value.
  • Engage C-suite executives in scenario-based discussions to define unacceptable impacts.
  • Prioritize investments based on business sense and alignment with strategic goals.

Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →