Transitioning from qualitative to quantitative models for cyber risk

Developing a quantitative approach to reporting on cyber risk has become a fundamental undertaking for leaders in information security. Through discussions with key stakeholders, CISOs, and cybersecurity leaders, recurrent inquiries arise:

1. What are our primary cyber risks?
2. Are we efficiently managing these risks?
3. Are our investments directed towards the right cyber controls?
4. How can we assess the effectiveness of our information security program?
5. Are we allocating an appropriate budget for cybersecurity, or is it excessive?

When utilizing qualitative risk models that present matrices with loosely defined categories such as "high" or "critical" for likelihood and impact, several limitations emerge.

Firstly, the lack of well-defined thresholds makes it challenging to distinguish between the ceiling of a "high" and the floor of a "critical" without measurable parameters. Consequently, there's a deficiency in providing an associative and measurable explanation of whether cyber risks have increased or decreased materially.

Secondly, the risk matrix often overlooks the organization's risk tolerance level. Without overlaying risk appetite/tolerance, the risk readout is incomplete, lacking relevance. Identifying higher risks in areas where an organization's risk tolerance can sustain a greater level of risk may be informative but may not warrant immediate focus.

Thirdly, financial relevance is crucial for informed decision-making in both for-profit and non-profit organizations. The absence of an indicator of financial loss associated with the risk readout makes it challenging for organizations to align spending prioritization with potential risks. Additionally, understanding the extent to which investments in cybersecurity controls can mitigate potential financial risk is another gap in qualitative risk reporting.

Transitioning to a quantitative cyber risk model for analysis and reporting enables more accurate data, leading to better-informed decision-making. While this shift is not easy for many, measuring cyber risk shares similarities with measuring other types of risks, despite being a relatively recent development due to the evolution of technology.

Interestingly, despite the similarities, there is a reluctance to measure cyber risk in a more effective manner than the traditional ordinal scales based on the intersection of likelihood and impact. According to Doug Hubbard, the author of "How to Measure Anything in Cybersecurity Risk," people often cite the complexity and difficulty of quantitative methods as reasons for this reluctance. Despite this perception, many organizations currently use quantitative methods, even when their backgrounds did not initially involve quantitative risk analysis.

Another factor contributing to the resistance towards adopting quantitative cyber risk analysis is the comfort individuals find in sticking to familiar methods. The reluctance to move away from current qualitative risk analysis methods, which provide vague indicators like low, medium, and high risk levels, becomes a self-imposed obstacle.

Doug Hubbard highlights another existing but insufficient model in play: intuition. A significant portion of risk assessments is influenced by individual preferences or unconscious biases, making it challenging to extract these factors from the formula. This introduces a bias into the data input, impacting the output in risk reporting.

Hubbard emphasizes that the cybersecurity practitioner's thought process is not significantly different from that of a mechanical engineer or physician. All these professionals carry biases and limitations such as selective recall. Despite these limitations, individuals continue to rely on their judgment and experiences, albeit limited, to assess and rate risks. Hubbard draws an analogy to the medical field, pointing out the reliance on clinical trials for physicians to form suggestions about medication based on a broader sample size rather than just their own experiences.

In the context of transitioning to quantitative risk analysis, the advantages are crucial for practitioners aiming to present cyber risk more accurately by reducing uncertainty and providing more business-relevant outputs. Whether it involves incorporating risk tolerance, introducing financial relevance, or moving away from loosely defined terms like high, medium, or low, the shift towards measuring cyber risk quantitatively is a more accurate and directionally correct approach compared to the alternatives currently in use.