Learn how to quantify cyber risks
Join the 2021 Global Risk Management Day to get guidance, knowledge and avoid malpractices:
Tools and templates to quantify operational and cyber risks with a business perspective,
Practical tips for recovering from a crisis.
Roadmaps to identify, write, assess, and manage risks,
Examples to use risk tools for forecasting and planning,
Recommendations to sell risk management to clients and
Models to use, e.g., Monte Carlo simulations with a simple approach.
11. What to do
Facilitate risk assessments well
before decisions are made by IT
architects, engineers and managers
12. What to do
Follow the in-transit and at-rest
data for an end-to-end analysis
fully covering the IT assets under
scope
13. What to do
Simple governance focused on
the decision-maker
IT asset owner = risk owner =
contract owner = control owner =
compliance owner
14. What to do
Identify measurable requirements
from feasibility analysis, contracts,
blueprints, project plans, budgets,
cyber programs, internal policies, and
regulations
15. What to avoid
Don´t use control assessments,
compliance checklists and
vulnerability tests for risk
identification
16. What to avoid
Compliance with an IT control is not an objective
per se
Vulnerable assets and non-compliances are not
treated as potential risks but as known facts to
remediate
17. What to avoid
Don´t use generic scenarios only
based on threat and vulnerability
taxonomies and relying on static
snapshots
18. What to avoid
Don´t add multiple roles to the
risk ownership such as process
owners, delegates, control
owners, and SMEs
19. Tool ISACA risk statements
[Event that has an effect on CIA
objectives on IT assets] caused by
[threat/s] resulting in
[consequence/s]
20. Tool ISACA risk statements
Compromise of unencrypted HR
data in transit to the AWS cloud
caused by eavesdropping resulting
in contractual and privacy fines
21. Risk statements for measuring
There is a 5% chance this year that
eavesdropping on HR data in transit
to the AWS cloud results in fines
between USD .3M to 1.85M
23. Analysis
• Assumption on objective name
and value
• IT Asset at Risk, Vulnerability and
Threat
• Assumption volatity
24.
25. Annualized Loss Expectancy
Cause * Consequence > Continuous function
Probability * Impact > Bow-tie
Annual Rate of Occurrence *
Single Loss Expectancy
30. Tool Single Loss Calculator
2
Min Max
Ln (Max) - Ln (Min)
Standard Error
Confidence Interval
Confidence
Interval
Standard
Error
80% 2.56
90% 3.29
95% 3.92
99% 5.15
Loss
USD
NrCases
P(A), μ = , σ =
Ln
Single
Loss
USD
=
Ln (Max) - Ln (Min)
z*-value*2
31. Tool Single Loss Calculator
2
Ln (Max) - Ln (Min)
Standard Error
P(A), μ = , σ =
Ln
Single
Loss
USD
=
Ln (Max) - Ln (Min)
Expected
loss USD
=
Single Loss USD
2
2
* Probability
e
34. Ranges of potential outcomes
Confidentiality > Min and max number of
disclosed records or affected clients
Integrity > Min and max number of
inaccurate records
Availability > Min and max outage hours
and affected users
35. There is not “security” in
information security
Therefore, you need to use
probabilities for a rational decision-
making when data is limited
36. If an objective in a risk
assessment matters, you can
observe a range of possible
outcomes
Therefore, you can measure the
possible outcomes for decision-making
37. Primary impact
• Downtime costs
• Notification and response costs
• Damage on IT assets
• Contractual penalties
• Fraud losses
38. Secondary impact
• Profitablity losses of potential
and current clients
• Regulatory fines
• IP and competitive losses
• Cost of changing the CISO
39. Tool > Decision tree
Materialized
Risk 1
Impact 1
Impact A
Secondary impactsPrimary impacts
Impact B
Impact 2
Impact C
Impact D
Event 1 P (A)
Event 2 P (∼A)
40. Tool > Decision tree
Crown jewel asset“Stepping stone” assets
Event 1 P (A)
Event 2 P (A)
Event x P (A)
41. What to do
Disaggregate impacts by tangible
cost items to use probabilistic
methods for risk scenarios
42. What to do
Cost items can be expressed in
monetary terms but also in number
of hours, datasets, clients, users,
contracts, and work days
43. Example
Downtime costs = Downtime hrs x Cost-per-hr
3.25 5
90% confidence Interval
Hours
NrCases
34k USD
95% confidence Interval
Cost
per hr
NrCases
54k USD
x
10% of the expected cases are
not between 3.25 and 5 hs
45. Downtime costs
• Revenue losses during/after downtime
Business value of IT asset at risk / Downtime hrs x % Uptime
• Discounts and compensations
• Employee productivity costs
Avg hr salary / Downtime and refocus hrs x Number of affected employees and contractor)
• Inventory and logistic overcosts
46. Notification and response costs
• Crisis management
• Help desk and IT staff overtime
• Forensic investigations and audits
• Notifications to boards, regulators,
investors and affected parties
47. Damage on IT assets costs
• Urgent replacements and repairs
• Setting and instalation
• Back up
• Lost data recovery
49. Present value of countermeasures
• Outsourcing costs
• Cyber insurance
• Costs of implementing IT controls
• Costs of executing IT controls
50. Present value of countermeasures
• Price increases for liability
clauses with IT service providers
• Reserve for IT risks
• Threat avoidance
• IT asset substitution
51. Return on Investment
Primary impact
Secondary impact
Annualized Loss
Expectancy
Present value of
countermeasures
53. What to do
Improve the planning tools used
by decision-makers with better
assessment of assumptions (e.g.
IT investments, due diligence)
54. What to do
Learn about statistical methods if
you want to facilitate the
assessment of IT risks
55. What to do
Measure the impact of risk incidents
and compare plans against actual
outcomes to improve your risk data
and use regression‐based methods
57. What to avoid
Don´t use qualitative criteria and
scoring systems with scientifically
proven flaws preventing corporate
defense and conducting to
malpractice
58. What to avoid, once again
Using high, medium, low or 1 to 5
criteria and other subjective scales
is malpractice in legal terms
59.
60. What to avoid
Data cocktails of generic scores
and matrices for controls, threats
and assets unrelated to the specific
objectives under scope
66. External data to be tailored
Adjust significant variances between
industries, geographies,
organization sizes, and business
models for your organization
67. External data to be tailored
Check that historical data is
relevant and accurate for the type
of cyber security planning
68. Cost per disclosed record
Adjust averages from reports on
data breaches (e.g. Ponemon, IBM,
Gartner) or pay for historical data
(e.g. Advisen)
69. External data to be tailored
Adjust significant variances between
industries, geographies,
organization sizes, and business
models for your organization
70. Internal statistics
• Budget vs. actual by project
• Incident database
• Fraud and social engineering db
• Penetration testing findings
• Malware logs
71. Internal statistics
• KPIs for SLAs and outsorcing
contracts
• Ongoing due diligence results
• Lost and early disposed IT assets
• Maintenance analysis
72. Internal statistics
• Data loss prevention logs
• Help desk analysis on IT issues
• API gateway protection logs