Data-Driven Defense: Harnessing Z-Scores for Cybersecurity Priorities
Aug 06, 2023Cyber-attacks continue evolving. Having a clear strategy for risk management is crucial. Among the critical aspects of this strategy is understanding your resources at risk. However, determining which resources to prioritize can be challenging.
Z-scores can offer a unique lens to view and prioritize resources, resulting in a focus on priority resources for risk assessment and response decisions.
Identifying Resources at Risk (Not Just Assets)
Using the concept of "resources at risk" to create a more expansive view of cyber risk allows an organization to go beyond the traditional financial-centric perspective and consider a broader spectrum of risk. But what specifically are resources at risk?
The Resources-Events-Agents (REA) data model, developed by William E. McCarthy in the 1970s, is a high-level conceptual model for business processes. It provides a framework for categorizing and relating resources, events, and agents based on the specific needs of a business or a business process.
In the REA model, a resource is anything that has economic value to the firm. This can include tangible assets like those listed in FASB’s Accounting Standards Codification (ASC), but it can also include other types of resources that aren't typically recognized as assets under generally accepted accounting principles (GAAP).
Here are some examples of resources as defined by the REA model that aren't included in assets from the ASC:
-
Employees' Time: The time that employees spend working has economic value to the firm, even though it isn't recognized as an asset in financial accounting.
-
Knowledge and Expertise: The knowledge and expertise of the firm's employees can be a valuable resource, especially in knowledge-intensive industries.
-
Business Processes: The firm's business processes, such as its production processes or its sales processes, can be valuable resources.
-
Contracts and Agreements: Contracts and agreements with customers, suppliers, and other parties can be valuable resources, even though they aren't typically recognized as assets in financial accounting.
-
Customer Relationships: The relationships that the firm has with its customers can be a valuable resource, especially in industries where customer loyalty is important.
-
Brand and Reputation: The firm's brand and reputation can be valuable resources, even though they aren't typically recognized as assets in financial accounting.
The specific resources relevant to an organization can vary widely depending on the organization's size, industry, geographic location, and other factors. Therefore, it's often necessary for each organization to conduct its own resource identification and analysis process.
Understanding Z-Scores
A Z-score represents how many standard deviations a data point is from the mean (average) of a dataset. The value of the positive Z-score tells you how far a value is above the mean, and a negative Z-score tells you how far a value is below a mean. In even simpler terms, it tells us how "unusual" or "typical" a value is within a set of values.
The usefulness of the Z-score lies in its ability to standardize different datasets, allowing for apples-to-apples comparisons. Additionally, Z-scores in many contexts can be used to identify outliers.
If a data point has a Z-score that's very high or very low, it might be flagged as an outlier. In the context of prioritizing resources, the sensitivity of Z-scores to outliers may be a benefit because it emphasizes resources with above-average value, drawing attention to their importance in the context of organizational risk.
If a resource group is much higher than the mean, it may be an indication that this particular resource group should be prioritized higher. Conversely, resources with a value below the mean might merit less priority in the reality of limited time and opportunity costs.
Applying Z-Scores in a Resource Classification
To leverage Z-scores in a resource classification as part of a cyber risk analysis, perform the following:
-
Gather the Data: Estimate replacement costs or other calculations for the value of each resource group.
-
Calculate the Mean and Standard Deviation: For the values of all resource groups, calculate the mean and standard deviation for the values of the resource groups. In Excel, use the =AVERAGE and =STDEV.S functions to calculate the mean and standard deviation.
-
Transform the Data: Calculate Z-scores for each resource group by subtracting the mean from the replacement cost and dividing the difference by the standard deviation.
-
Identify Outliers: Resources with high or low Z-scores might indicate a need for high or low prioritization in the risk analysis.
-
Rank and Filter: Once you have the Z-scores, rank resources based on their Z-scores, and filter out resource groups with lower Z-scores in a way that makes sense for your dataset (such as a Z-score of zero or less).
Calculation of Z-scores only for Resources with Replacement Cost above the Mean
(download this template in Excel)
Using Z-Score Prioritized Resources in a Quantitative Cyber Risk Analysis
Using Z-score to Identify Only the Highest Priority Resource Groups
(download this template in Excel)
Focusing on resource groups prioritized by Z-score, assess how often a given threat might exploit a vulnerability for the resource group. Then quantify the potential impact of loss events in terms of dollar impact. Use historical data, industry benchmarks, or expert judgment to estimate the potential financial or operational impact if a high Z-score resource gets impacted.
For each resource group, multiply the potential impact with the associated probability or frequency. This will give an "expected loss" or "annualized loss expectancy" for each resource.
Use data visualization to communicate the inherent risk (likelihood and impact) of risk scenarios.
Inherent Risk Assessment for Only the Priority Resource Groups
(download this template in Excel)
Resources with higher expected loss (and high Z-scores) may need more attention in terms of evaluating inherent risk and determining the appropriate response to that risk.
-
Mitigate: Invest in controls and measures to reduce the risk.
-
Transfer: For some high-risk resources, it might be feasible to transfer the risk, e.g., through insurance.
-
Accept: Some risks might be accepted if they're in line with the organization's risk appetite or if mitigation costs outweigh potential benefits.
-
Avoid: In some cases, operations associated with a high-risk resource might be ceased or altered to eliminate the risk.
A Risk Response Matrix could be used to recommend responses for each risk scenario.
Risk Response Matrix for Priority Resource Groups
(download this template in Excel)
Continually monitor the risk metrics associated with each resource. As new data emerges, recalculate resource group Z-scores and adjust priorities, allowing for a dynamic and responsive approach to changes in the business and strategic objectives.
Potential Pitfalls and Limitations
While Z-scores provide a standardized way to compare data points, relying on them for prioritizing resource groups in certain contexts could result in potential pitfalls:
-
Sensitivity to Outliers: An extreme data point can skew both the mean and the standard deviation, which in turn affects all the Z-scores in a dataset. This sensitivity might result in over-prioritizing or under-prioritizing certain resource groups based on anomalies.
-
Overemphasis on Mean: Z-scores are calculated based on the mean. If the data has multiple modes or clusters, relying solely on the mean might not capture the nuances of the data distribution, leading to potential misprioritization.
-
Not Always Intuitive: For stakeholders who aren't familiar with statistics, Z-scores might not be immediately intuitive. This can create communication challenges, especially when trying to convey the importance or priority of certain resources.
-
Neglect of Other Important Factors: Z-scores focus on deviation from the mean, but there might be other crucial factors or qualitative nuances that are overlooked. For instance, a resource group might have a Z-score close to zero (indicating it's close to the mean) but might still be of strategic importance to the organization.
-
Potential for Over-simplification: Using only Z-scores can oversimplify complex resource portfolios. It's crucial to integrate Z-scores with other metrics and qualitative insights to ensure a holistic understanding of priorities.
-
Volatility with Small Sample Sizes: If the dataset (count of resource groups) is small, Z-scores can be volatile. A slight change in data can significantly alter the Z-score, which might lead to inconsistent prioritization over time.
-
Dependence on Accurate Data: Like any quantitative metric, Z-scores are only as good as the data they're based on. If there are errors, inconsistencies, or biases in the data collection process, the Z-scores will reflect those inaccuracies.
Conclusion
While the world of cybersecurity can be complex, statistical tools like Z-scores may help drive better decisions. By integrating Z-scores into a quantitative risk analysis, organizations can bring a data-driven approach to risk management. This method offers improved clarity in prioritization and can enhance the effectiveness of risk mitigation strategies.
Unlock the power of Excel PivotTables! Whether you're a beginner or an advanced user, this self-guided course will level up your skills.
Stay connected with news and updates!
Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.
We hate SPAM. We will never sell your information, for any reason.