In these difficult days budgets are under pressure – but the cyber threat is far from diminished. The Chief Information Security Officer (CISO) is being driven to justify the value of every pound spent by the chief finance officer, while the chief risk officer wants to understand the change in cyber risk exposure.
As a cybersecurity community, we have quested for ways of linking investment to risk reduction. A clear line of sight from the threat groups, to the attack techniques used, the controls which prevent or detect those attacks, and then the likelihood of these controls being effective.
Of course, that is just one element of assessing risk. We also need to know the impact that the attack might have on the organisation, but getting a better grip on likelihood is a good first step.
We had an opportunity to work with one of the largest insurers in the world to try and tackle this challenge. We don’t have all the answers, but we hope this work will be a contribution to advancing the discussion on cyber risk quantification.
Our aim was to build a practical model for estimating likelihood of an attack. Succeeding in that would help the CISO optimise their investments in controls. It had to be usable, linked to the insurer’s existing risk framework, threat led, informed by empirical data and capable of generating useful and actionable insights. No mean feat.
The answer was to bring together a number of existing concepts to build an integrated model. We needed a taxonomy of controls; a consistent set of threat scenarios linked to attack trees that help us understand which controls would make a difference; and a risk engine which had predictive power.