Quantifies in dollars, the cyber risk for an enterprise, based upon historical industry data and rigorous statistical models.
Risk is calculated for custodial data (PII, PFI, CHD & PHI), based upon a peer company of the same size and industry, with the same value at risk.
1. VivoSecurity Inc.,
Los
Altos,
CA.
Email:
ThomasL@VivoSecurity.com
George
Box,
British
Mathematician
and
champion
of
Bayesian
Inference
A
PEER
RISK
MODEL
Calculate
Custodial
Data
Risk,
Compare
with
Industry
Peers
Calculate
residual
risk
in
dollars
to
PII,
PFI,
PHI
and
CHD
using
historical
industry
data.
Calculate
ROI
and
prioritize
controls,
estimate
insurance
needs
and
the
value
of
incident
response,
communicate
risk
to
senior
management
and
objectively
set
risk
appetite.
Prior
Beliefs EvidencePosterior
Beliefs
2. More effectively
mitigate risk
Manage black-swan
events
Measure reduction
in risk
Focus where risk is
highest
Adopt a strategic
approach
Manage risk
in business terms
Communicate risk in
dollars
Justify security
investments
Weigh risk against
business priorities
Right-size cyber
insurance
Manage
Cyber
Risk
in
Business
Terms
A Peer Risk Model allows senior management to compare cyber risk to their peers – in dollars. A
rigorous statistical model that is trained on historical industry data gives a risk assessment
credibility and senior management the confidence to manage cyber risk in business terms. It
allows consideration of the ROI of new security controls, helps demonstrate insurance adequacy
and allows an objective consideration of risk appetite. A Peer Risk Model can give the board of
directors a clear understanding of risk and demonstrate a strong risk management culture.
3. What
is
a
Peer
Risk
Model?
A Peer Risk Model is a statistical model built upon historical industry data, that can calculate
the residual risk for the average company of a particular size and industry. Information about a
companies past breach rate can be added to estimate how a company differs from industry
averages (i.e. their peers).
The model is “trained” on historical industry data using standard statistical (actuarial)
techniques such as linear regression and Bayesian Model Averaging (see George Box on
cover). Modeling techniques are rigorous and comply with the standards put forth by the
Federal Reserve for model management (SR 11-‐7). A rigorous modeling process provides
credibility, since the process discovers factors that are predictive of the cost and the
probability of a data breach. A model is no better than it’s data and our historical industry
data comes from credible and comprehensive sources such as State Attorney Generals, Heath
and Human Services (HHS), US Census data and 10K filings from public companies.
The Peer Risk Model actually integrates four models: 1) a model for the probability of lawsuits,
2) a model for the cost distribution of a given breach, 3) a breach size vs frequency model, and
4) a model that characterizes incident rate by industry.
The Peer Risk Model can be deployed in an easy to use Excel Spreadsheet which requires a
small number of variable inputs that have been found to be predictive of cost.
4. Investigation
Notification
Call
center
Remediation
o Business
Loss
o Damage
to
personal
credit
o Theft
of
money
&
goods
o Credit
card
replacement
costs
Business
loss;
theft
of
money
&
goods
Credit
monitoring
&
privacy
insurance.
Fines &
settlements
Public
&
Other
BusinessesBreach
Company
Total
costs
Mitigate
Transfer
via
suits
Data
Breach
Costs
Covered
by
the
Peer
Risk
Model
Response
CostsDamage
costs
Term Meaning
Investigation Cost of investigating what happened in a data breach including data
that was exposed. Costs of updating agencies of investigation progress.
Remediation Cost to preventing future data breach.
Notification Legal costs of notifying federal agencies and states attorney general.
Call
Center Cost of hiring or expanding call centers to handle calls from people
affected by data breach.
Business
Loss,
theft
of
money
&
goods
Loss of business and customers, fraud costs, cost of goods pur chased
with stolen cards
Credit
Monitoring
&
Privacy
Insurance
Cost of providing credit monitoring such as Experian, insurance to
cover personal loss by people affected by the data breach.
Fines
&
Settlements Government fines, lawsuit awards and settlements, defense costs.
Glossary
The Peer Risk Model calculates risk to custodial data. Custodial data is any PII data which triggers
reporting requirements of various government agencies (also known as risk to confidentiality, in
AppSec parlance). The model calculates Total Costs; below is a graphical breakdown of costs
included in Total Costs.
5. 6
Model
Outputs
The
following
graphs
are
example
ways
that
risk
can
be
summarized
by
the
model.
Examples
are
for
hypothetical
companies.
6. 0%
20%
40%
60%
80%
100%
0 >0 1 2 3 4 5
Probability
Number
of
Lawsuits
$0
$5
$10
$15
$20
$25
Likelihood
Breach
Cost
Millions
$19.8M
80%
Confidence
Interval
Model
Outputs:
Maximum
Data
Breach
Cost;
Probability
of
Lawsuit
Modeling
of
historical
industry
data
finds
a
distribution
of
costs
for
any
particular
breach
size
and
type,
with
a
small
percentage
of
companies
experiencing
very
large
costs.
The
model
shows
this
as
a
probability
distribution
for
the
cost.
Confidence
intervals
are
indicated
for
the
maximum
breach
costs
as
well
as
the
value
of
incident
response
activities
to
reduce
the
confidence
interval.
Confidence
intervals
are
valuable
for
estimating
insurance
needs.
When
they
occur,
lawsuits
are
an
important
component
of
the
cost.
One
focus
of
incident
response
is
to
prevent
lawsuits.
The
model
also
calculates
and
graphs
the
probability
for
lawsuits
to
help
guide
incident
response
decisions.
Value
of
Incident
Response
Controls
Less
than
10%
chance
of
a
lawsuit
in
the
largest
data
breach.
Most
companies
would
experience
a
cost
of
under
$5M.
7. 0.001
0.010
0.100
1.000
10.000
100.000
1,000.000
10
100
1,000
10,000
CostMillions
Years
All
Other
Incidents
Malicious
Outsider
Dominant
Cause
Model
Outputs:
Loss
Exceedance
Curve
Commonly
used
in
catastrophe
modeling,
the
loss
exceedance
curve
considers
the
most
likely
cost
from
all
incident
types,
and
includes
the
possibility
of
extraordinary
data
breach
costs
(tail
risk).
This
curve
is
valuable
for
setting
a
companies
risk
appetite
and
insurance
coverage.
Example:
$1M
insurance
covers
a
once
in
100
year
(or
once
in
100
companies,
each
year)
event.
8. Model
Outputs:
Residual
Risk
by
Incident
Type
and
Breach
Size
Residual
risk
can
be
broken
down
and
graphed
in
various
ways
including
Incident
Type
and
breach
size.
Such
graphs
are
valuable
for
understanding
and
communicating
the
major
sources
of
risk,
weighing
business
priorities
against
cyber
risk
and
for
resource
allocation.
$0.00
$100.00
$200.00
$300.00
$400.00
$500.00
$600.00
$700.00
$800.00
$900.00
$1,000.00
Malicious
Outsider Accident Lost,
Stolen Malicious
Insider
Thousands
5
Year
Period,
80%
Confidence
Small
(<500)
Medium
(500
to
10,000)
Large
(10,000
to
1
million)
Huge
(1
million
to
100
million)
Largest
risk
reduction
would
be
obtained
by
focusing
on
reduction
of
small
accidents.
9. $0
$50
$100
$150
$200
$250
$300
$350
$400
$450
$500
Thousands
Value
of
Additional
Controls
5
year
period,
80%
Confidence
Interval
Model
Outputs:
Value
of
Additional
Controls
The
value
of
a
control
is
calculated
based
upon
residual
industry
risk,
and
the
degree
to
which
a
control
reduces
the
frequency
of
incidents.
When
the
value
of
a
control
is
combined
with
the
cost,
it
is
possible
to
prioritize
resources
based
upon
ROI,
thus
achieving
a
greater
reduction
in
risk.
Understanding
the
value
of
a
control
and
ROI
in
dollars
helps
to
communicate
the
need
and
justify
the
investment.
Largest
risk
reduction
would
be
from
Data
Loss
Prevention
10. Gather
Data
Company information is gathered as part of a standard security audit, including: 1) the number of
customers for which records are not sequestered, 2) types of PII data, NAICS industry code,
number of employees and past incidents.
Data
into
Model
Data is entered into the model and the residual risk is automatically calculated based upon
historical industry data and broken down by incident and data types, size vs frequency, probability
for lawsuits and cost distributions for all possible breach sizes. Risk is further broken down into
quadrants for the purposeofevaluating additional (new) controls.
Incident
Response
Additional
Controls
The security expert sets confidence intervals based upon an evaluation of the companies incident
response as compared with peers, including written response plan, training and rehearsals,
instrumenting theenterprise, and engaging an experienced security company and law firm.
A security expert assigns additional (new) controls to risk quadrants and assigns percent
effectiveness based upon experience, industry reports, and implementation. The model
automatically calculates thedollar valuefor each control.
ROI
The cost of additional (new) controls is entered from external sources, the calculation interval is
adjusted according to the cost amortization period for controls and the model automatically
estimates ROI.
Report
Controls are ordered by ROI and graphed. Other graphs which summarized risk are copied from
the model and used to generate a report. The report can be presented to senior management to
set risk appetite, justify and prioritizeinvestments and guideinsurancepurchases.
Use
Case
Thediagram below shows theprocess by which a typical company an use the Peer Risk Model to evaluate residual risk in dollars and calculatea
dollar based ROI for additional (new) controls. Much oftheinformation needed is gathered as part ofa standard security audit.
11. About
VivoSecurity
VivoSecurity
Inc,
1247
Russell
Ave,
Los
Altos
California;
Contact:
ThomasL@VivoSecurity.com,
(650)
919-‐3050
VivoSecurity provides data analytics and statistical modeling to companies in the financial and
high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and
statisticians. We use advanced data analytic techniques to model the probability and cost of
cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of
software applications, strong knowledge of operating systems and hardware and a strong
understanding of enterprise operations.
Model Description
Cyber-‐Loss
Model Calculates
the
maximum cost
of
a
data
breach
of
custodial
data.
Probability
for
Fraud, personal
customers Calculates
probability
for
a
cyber
attach
that
leads
to
fraud.
Probability
for
Fraud,
corporate
customers Calculates
probability
for
a
cyber
attach
that
leads
to
fraud.
3rd party
(vendor)
Risk Calculates
risk
in
dollars
posed
by
3rd party
partners.
Additional
Offerings