Learn how to quantify cyber risks Join the 2021 Global Risk Management Day to get guidance, knowledge and avoid malpractices: Tools and templates to quantify operational and cyber risks with a business perspective, Practical tips for recovering from a crisis. Roadmaps to identify, write, assess, and manage risks, Examples to use risk tools for forecasting and planning, Recommendations to sell risk management to clients and Models to use, e.g., Monte Carlo simulations with a simple approach.

1. 2021 Global
Risk Management
Day

2. Hernan Huwyler
Kersi Porbunderwalla
Tips for IT risk management
What to do + what to avoid

3. Identification

4. Risk
effect of uncertainty
on objectives

5. Objectives for IT risks
Confidentiality
Integrity
Availability
on
IT assets

6. Assets at risk
IT assets
Data (electronic or on-paper)
Hardware and facilities
Software
Contracts, services and licenses
Skills

7. Example for confidentiality
Shall indemnify Customer
against all losses in case of a
data breach

8. Example for integrity
Input data errors should be
lower than 0.04 %

9. Example for availabilty
Shall reduce fees by 4% in case of
95 to 98% service availability

11. What to do
Facilitate risk assessments well
before decisions are made by IT
architects, engineers and managers

12. What to do
Follow the in-transit and at-rest
data for an end-to-end analysis
fully covering the IT assets under
scope

13. What to do
Simple governance focused on
the decision-maker
IT asset owner = risk owner =
contract owner = control owner =
compliance owner

14. What to do
Identify measurable requirements
from feasibility analysis, contracts,
blueprints, project plans, budgets,
cyber programs, internal policies, and
regulations

15. What to avoid
Don´t use control assessments,
compliance checklists and
vulnerability tests for risk
identification

16. What to avoid
Compliance with an IT control is not an objective
per se
Vulnerable assets and non-compliances are not
treated as potential risks but as known facts to
remediate

17. What to avoid
Don´t use generic scenarios only
based on threat and vulnerability
taxonomies and relying on static
snapshots

18. What to avoid
Don´t add multiple roles to the
risk ownership such as process
owners, delegates, control
owners, and SMEs

19. Tool ISACA risk statements
[Event that has an effect on CIA
objectives on IT assets] caused by
[threat/s] resulting in
[consequence/s]

20. Tool ISACA risk statements
Compromise of unencrypted HR
data in transit to the AWS cloud
caused by eavesdropping resulting
in contractual and privacy fines

21. Risk statements for measuring
There is a 5% chance this year that
eavesdropping on HR data in transit
to the AWS cloud results in fines
between USD .3M to 1.85M

22. Quantification

23. Analysis
• Assumption on objective name
and value
• IT Asset at Risk, Vulnerability and
Threat
• Assumption volatity

25. Annualized Loss Expectancy
Cause * Consequence > Continuous function
Probability * Impact > Bow-tie
Annual Rate of Occurrence *
Single Loss Expectancy

26. Annualized Loss Expectancy
Based on the added value of
the IT asset at risk on objectives
Range of potential values

27. Impact > Single Loss Expectancy
• Potential range of monetized
losses
• Decision trees
• Best, worse and base cases

28. You don’t read your medical
tests as an average of measures

29. Tool Single Loss Calculator

30. Tool Single Loss Calculator
2
Min Max
Ln (Max) - Ln (Min)
Standard Error
Confidence Interval
Confidence
Interval
Standard
Error
80% 2.56
90% 3.29
95% 3.92
99% 5.15
Loss
USD
NrCases
P(A), μ = , σ =
Ln
Single
Loss
USD
=
Ln (Max) - Ln (Min)
z*-value*2

31. Tool Single Loss Calculator
2
Ln (Max) - Ln (Min)
Standard Error
P(A), μ = , σ =
Ln
Single
Loss
USD
=
Ln (Max) - Ln (Min)
Expected
loss USD
=
Single Loss USD
2
2
* Probability
e

32. Tool Single Loss Calculator

33. Tool Single Loss Calculator

34. Ranges of potential outcomes
Confidentiality > Min and max number of
disclosed records or affected clients
Integrity > Min and max number of
inaccurate records
Availability > Min and max outage hours
and affected users

35. There is not “security” in
information security
Therefore, you need to use
probabilities for a rational decision-
making when data is limited

36. If an objective in a risk
assessment matters, you can
observe a range of possible
outcomes
Therefore, you can measure the
possible outcomes for decision-making

37. Primary impact
• Downtime costs
• Notification and response costs
• Damage on IT assets
• Contractual penalties
• Fraud losses

38. Secondary impact
• Profitablity losses of potential
and current clients
• Regulatory fines
• IP and competitive losses
• Cost of changing the CISO

39. Tool > Decision tree
Materialized
Risk 1
Impact 1
Impact A
Secondary impactsPrimary impacts
Impact B
Impact 2
Impact C
Impact D
Event 1 P (A)
Event 2 P (∼A)

40. Tool > Decision tree
Crown jewel asset“Stepping stone” assets
Event 1 P (A)
Event 2 P (A)
Event x P (A)

41. What to do
Disaggregate impacts by tangible
cost items to use probabilistic
methods for risk scenarios

42. What to do
Cost items can be expressed in
monetary terms but also in number
of hours, datasets, clients, users,
contracts, and work days

43. Example
Downtime costs = Downtime hrs x Cost-per-hr
3.25 5
90% confidence Interval
Hours
NrCases
34k USD
95% confidence Interval
Cost
per hr
NrCases
54k USD
x
10% of the expected cases are
not between 3.25 and 5 hs

44. Example
https://doi.org/10.1155/2019/6716918
Impact ranges expressed in M$

45. Downtime costs
• Revenue losses during/after downtime
Business value of IT asset at risk / Downtime hrs x % Uptime
• Discounts and compensations
• Employee productivity costs
Avg hr salary / Downtime and refocus hrs x Number of affected employees and contractor)
• Inventory and logistic overcosts

46. Notification and response costs
• Crisis management
• Help desk and IT staff overtime
• Forensic investigations and audits
• Notifications to boards, regulators,
investors and affected parties

47. Damage on IT assets costs
• Urgent replacements and repairs
• Setting and instalation
• Back up
• Lost data recovery

48. Contractual penalties
• Penalties and damages
• Force majeure and default
• Disputes
• Cost of changing IT vendors

49. Present value of countermeasures
• Outsourcing costs
• Cyber insurance
• Costs of implementing IT controls
• Costs of executing IT controls

50. Present value of countermeasures
• Price increases for liability
clauses with IT service providers
• Reserve for IT risks
• Threat avoidance
• IT asset substitution

51. Return on Investment
Primary impact
Secondary impact
Annualized Loss
Expectancy
Present value of
countermeasures

52. Tool > Loss exceedance curve
Loss0.001 0.01 0.1 1 10 100
0%
25%
50%
75%
100%
LossChance
5%
95%

53. What to do
Improve the planning tools used
by decision-makers with better
assessment of assumptions (e.g.
IT investments, due diligence)

54. What to do
Learn about statistical methods if
you want to facilitate the
assessment of IT risks

55. What to do
Measure the impact of risk incidents
and compare plans against actual
outcomes to improve your risk data
and use regression‐based methods

56. Poll
What metrics are
you using to measure
the cyber security
performance?

57. What to avoid
Don´t use qualitative criteria and
scoring systems with scientifically
proven flaws preventing corporate
defense and conducting to
malpractice

58. What to avoid, once again
Using high, medium, low or 1 to 5
criteria and other subjective scales
is malpractice in legal terms

60. What to avoid
Data cocktails of generic scores
and matrices for controls, threats
and assets unrelated to the specific
objectives under scope

61. What to avoid
Risk = threat x vulnerability x IT
asset value

62. What to avoid
Risk = ( threat x vulnerabilities x
probability x impact )
/countermeasures

63. What to avoid
Risk = ( threat x exploit likelihood
x exploit impact x asset value ) -
security controls

64. What to avoid
Risk = [ (10 * TechnicalImpact +
5*(AcquiredPrivilege + AcquiredPrivilegeLayer) +
5*FindingConfidence) * f(TechnicalImpact) *
InternalControlEffectiveness ] * 4.0
f(TechnicalImpact) = 0 if TechnicalImpact = 0;
otherwise f(TechnicalImpact) = 1

65. Data sources

66. External data to be tailored
Adjust significant variances between
industries, geographies,
organization sizes, and business
models for your organization

67. External data to be tailored
Check that historical data is
relevant and accurate for the type
of cyber security planning

68. Cost per disclosed record
Adjust averages from reports on
data breaches (e.g. Ponemon, IBM,
Gartner) or pay for historical data
(e.g. Advisen)

69. External data to be tailored
Adjust significant variances between
industries, geographies,
organization sizes, and business
models for your organization

70. Internal statistics
• Budget vs. actual by project
• Incident database
• Fraud and social engineering db
• Penetration testing findings
• Malware logs

71. Internal statistics
• KPIs for SLAs and outsorcing
contracts
• Ongoing due diligence results
• Lost and early disposed IT assets
• Maintenance analysis

72. Internal statistics
• Data loss prevention logs
• Help desk analysis on IT issues
• API gateway protection logs

73. Risk management is a top
demanded skill in cyber security

74. Risk management is a top
demanded skill in cyber security

75. This session is dedicated to Stanislaw Ulam, John von
Neumann, and Nicholas Metropolis which developed the
Monte Carlo method

76. @hewyler
/hernanwyler
mydailyexecutive.blogspot.com