Reading time: 5 minutes

Quantitative Cyber Risk Assessments

Cyber threats are a high priority source of risk for many organizations. However, managing cyber risk can be a complex task, requiring a structured approach.

Unfortunately, many common qualitative approaches to cyber risk assessment provide only limited useful information. Quantitative approaches to measuring cyber risk assessment may provide better information for risk management decisions.

Benefits of Quantitative Cyber Risk Assessments

Quantitative cyber risk assessments involve the use of numerical measures to evaluate the potential impact and likelihood of cyber threats. This differs from the more common qualitative approach to risk assessments, which use categorical data, such as the descriptive categories “low, medium, high.”

Categorical data often causes ambiguous threat and risk analysis and may result in the misclassification of threats and ineffective responses to risk.

Quantitative assessments that include dollar-measured outputs lead to better comparisons of threats, cost-benefit analysis of controls, and effective communication to stakeholders about the organization’s cyber risk appetite and exposure.

The Role of Accountants in Quantitative Cyber Risk Assessments

As strategic advisors with a firm grasp on an organization's financial health and activities, accountants can play an instrumental role in quantitative cyber risk assessments. Their skills in financial analysis, data interpretation, and strategic decision-making make them valuable contributors to the process.

With some training on cyber risk models, accountants can help gather and analyze data on potential financial impacts of cyber threats, assess the cost-effectiveness of security controls, and contribute to decisions about risk treatment strategies based on the organization's risk tolerance.

Key Elements of a Quantitative Cyber Risk Assessment

To carry out a quantitative cyber risk assessment, several key elements are recommended by the National Institute of Standards and Technology’s guide for conducting risk assessments:

• Risk Assessment Process: The process includes several stages, such as preparing for the risk assessment, conducting the assessment, communicating the information, and maintaining risk assessments over time.

• Risk Model: The model for a quantitative risk assessment determines what calculations will be performed and which inputs they will use, such as likelihood and impact. A useful quantitative risk model should yield the amount of risk measured in financial terms.

• Analysis Approach: The analysis approach determines how you will identify the inputs for your model. Some organizations may choose to start with assets and then identify threats to those assets and the amount of exposure to those threats. Other organizations may choose to start directly with the threats themselves.

A quantitative cyber risk assessment should inform decision makers about the amount of cyber risk the company faces on an annual basis measured in financial terms (e.g. dollars). Uncertainty can be expressed using ranges and confidence intervals, but the financial aspect of the results is what makes the assessment useful to stakeholders and leaders.

Example: Quantitative Cyber Risk Assessment in Action

Consider a hypothetical case of a small manufacturing company that wants to assess the risk associated with a ransomware attack. Using a quantitative risk assessment approach, an accountant could gather data on the probability of a ransomware attack from the organization’s internal IT team, the Verizon Data Breach Investigations Report, and professional associations, such as the National Association of Manufacturers.

Then to estimate the range of financial impact, the accountant could also consult sources, such as the FBI’s Internet Crime Report, Chainalysis’ Crypto Crime Report, and annual reports from insurance companies, like Hiscox’s Cyber Readiness Report.

Imagine that the accountant determined that the organization faced an 80% probability of a single ransomware attack occurring each year, and that in 90% of those cases the range of impact would be between $20,000 and $200,000, including downtime, investigation costs, and recovery (ransom payment is excluded because this hypothetical organization has a policy to never pay the ransom).

According to the company’s risk model, the accountant multiplies the probability of an attack by the estimated lower bound and upper bound to get an effective range of $16,000 to $160,000 of inherent risk at a 90% confidence interval before considering the effectiveness of control activities.

In discussions with the information security manager, the risk assessment team determines that preventive controls reduce the probability of an attack on an annual basis down to 40% and the detective and corrective control activities reduce the impact of an attack by 50% so that the range is between $10,000 and $100,000 in 90% of circumstances. The residual risk is then calculated at an effective range of $4,000 to $40,000 with a 90% confidence interval.

Management evaluates the residual risk, reviews insurance coverage in consideration of outlier incidents (the incidents outside of the confidence interval), and determines that the current residual risk relating to ransomware attacks is acceptable, according to the company’s risk tolerance, which is aligned to the company’s strategic plans for growth and its financial health.

Conclusion

Quantitative cyber risk assessments are a valuable tool in an organization's cybersecurity arsenal for managing cyber risk.

For accountants, understanding and contributing to these assessments is a powerful way to provide strategic value and safeguard an organization's financial health.