An introduction to quantifying cyber risk.

1. Quantifying
Cyber Risk.
Dispelling Cybergeddon

2. Why does cyber risk matter?
79% of respondents ranked cyber risk as a top
five concern for their organization.
47% of organizations said they have cyber
insurance.
Marsh Microsoft 2019 Global Cyber Risk Perception Survey
In the year post-breach, references to cyber
security in annual reports increases by an
average of over 300%
Peter Cohen’s Analysis of US Form 10K Submissions 2008-2017
47% of Small firms (less than 50 employees)
report one or more incidents in the last year.
63% of Medium sized firms (between 50 and
249 employees) report one or more incidents
in the last year.
65% of firms have experienced cyber-related
issues in their supply chain in the past year
Hiscox 2019 Cyber Readiness Report
In 2018 the insurance industry’s total direct
written cyber premiums grew 8% to $2 billion
Fitch Ratings, May 2019
A survey of around 700 UK senior managers
that 43% reported that their company had
suffered at least one cyber-attack in the prior
two years.
Mactavish “Cyber Risk & Insurance Report” Nov. 2018
Average annual losses due to cyber events in
the financial sector are between $38 billion
to $100 billion per year, and that the costs of
cyber events for the global economy as a
whole range from $110 billion to $575 billion
per year.
The estimated losses are substantially larger
than the size of the cyber-insurance
market.
Estimation of losses due to cyber risk for financial institutions,
Journal of Operational Risk, June 2019

3. Current poor practices
Category Labels (High/Medium/Low)
Imprecise, Unreliable, Range Compression
Single Likelihood estimates
Cyber risk has a long fat tail
Worst Case Impact estimates
Cybergeddon (Cannot reasonably aggregate risks)
Lists of cyber risk causes
Overlaps, Visibility
Risk Matrices
Multiplication of Subjective
Assessments,

4. Modern approaches to Cyber risk
There is a LOT that cyber and security risk managers can learn from
modern operational risk techniques.
There are ‘off the shelf’ solutions available such as FAIR (Factor Analysis
of Information Risk).
The security risk tooling (Security GRC platforms) are very poor at
supporting quantitative measurement or estimation of cyber risk.
There are professional ‘pools of knowledge’ forming such as:
● The Society of Information Risk Analysts
● The FAIR Institute
● Cyentia Institute

5. Cyber Risk Tolerance
Expected Rate of Occurrence /
Frequency
Monthly
Probability
Annual
Probability
Once a week 434.00% 5200.00%
Once a month 100.00% 1200.00%
Once a quarter 33.33% 400.00%
Once every six months 16.67% 200.00%
Once a year 8.33% 100.00%
Once every two years 4.17% 50.00%
Once every three years 2.78% 33.33%
Once every five years 1.67% 20.00%
Once every ten years 0.83% 10.00%
Once every fifteen years 0.55% 6.66%%
Avoid forcing stakeholders to do maths in their head.
Avoid qualitative descriptors, they are interpreted
differently by different people.
Median value handles overly risk hungry executives,
weighting executive scores by ownership also
appropriate.

6. Security Risk Universe
The security risk universe encompasses all the information security risks that could affect the
organisation:
● The universe is founded on Events that have Consequences for the business.
● When developing a risk scenario we consider the Source of the event and the Risk
Factors.
● Risk Factors are measurable aspects that are either external or internal to the business
and affect the frequency of risk occurrence or the severity of the risk outcome.

7. Risk Scenarios
Must consider all events and sources for their applicability to the business. For each event at least one
representative risk statement will be defined using the following template:
“There is a risk that <event> occurs leading to <consequence> that causes
<impact> .”
Each scenario must be expanded to include the relevant frequency or severity risk factors and/or
preventative, mitigating or recovery controls of note.
“This is exacerbated by <factor/s> but mitigated to some extent by <control/s>.”
The goal is to describe each scenario in a clear, unambiguous, format for analysis.
Consistency of language and format makes comparison for overlap and gaps possible.

8. Risk Estimation
Once the risks are documented and defined the next stage is to elicit expert judgement to
estimate the likelihood and costs of the risks.
Each risk will have inherent and an expected residual; likelihood, minimal harm
and maximal harm. We ask our experts to be 95% certain the maximum and
minimums are correct. Don’t forget that uncertainty!
Due to inherent issues of expert estimation we must use a number of techniques to
mitigate biases including:
● Measuring internal & external base-rate data to indicate risk factors
○ Lots of data available but discrimination and analysis required.
○ Many initiatives underway to improve data quality.
● Internal & external expert estimation
● Risk calibration training for experts
● Panel-based estimation

9. Bow-Tie Diagrams
Bow-tie diagrams are developed for each risk scenario describing the ‘fault tree’ that can cause the risk
and the ‘event tree’ that is the consequence of the risk. This provides a visual framework for estimating the
risks and identifying key controls.
This requires that the control framework in use is mapped to the risk events in the Security Risk Universe.
I have used the open source, freely available, Secure Controls Framework (SCF) which maps onto 100
different control frameworks and regulatory standards
Risk
Sources &
Causes
Preventative
Controls
Mitigate &
Recovery
Controls
Consequences
Fault Tree Event Tree

10. Example Bow-Tie

11. Cyber Risk Simulation
This represents a risk reduction of
£18,820,822 across the portfolio in
return for approximately £250,000
invested in security.
For each risk, using the likelihood,
minimal harm and maximal harm
we generate the simulated risk
outcomes tens of thousands of
times and combine the results.
We use a standard Monte Carlo
simulation approach relying on a
Lognormal distribution for harm
from a cyber incident. This is
commonly accepted industry
practice due to the observed nature
of cyber consequences.
We simulate both risks individually
and as a portfolio of risk. This
allows us to aggregate the risk
exposure for board consideration
but also perform sensitivity analysis
on control investments.

12. Reading
Books:
● How to Measure Anything in Cybersecurity Risk, Hubbard & Seiersen
● Measuring and Managing Information Risk: A FAIR Approach, Freund & Jones
● Uncertain Judgements: Eliciting Experts' Probabilities, O’Hagan
● Risk Assessment and Decision Analysis with Bayesian Networks, Fenton & Neil
Papers:
● What's Wrong with Risk Matrices?, Louis Anthony (Tony)Cox Jr
● Estimation of losses due to cyber risk for financial institutions, Antoine Bouveret
● Hype and heavy tails: A closer look at data breaches, edwards, Hofmeyr & Forrest
● Judgemental Decomposition: When does it work? MacGregor & Armstrong
● Lessons learned from the real world application of the Bow-tie method, Risktec
● Supporting on-going capture and sharing of digital event data, CRO Forum
● Reference Incident Classification Taxonomy: Task Force Status and Way Forward, ENISA
Standards:
● ISO 31010 - Risk Management - Risk Assessment Techniques

13. Thank you.
phil@cisomentor.com
www.cisomentor.com
blog.blackswansecurity.com