If you don’t know what sort of cyber threats are around, who’s out to get you, or even how many times your IT defences have been breached, let alone how the threats are developing, how can you measure cyber risk? The World Economic Forum (WEF) has had a go at quantifying the value at risk in case of a cyber-attack.
A Davos report titled ‘Partnering for Cyber Resilience Towards the Quantification of Cyber Threats’ warns of a vicious circle: ‘uncertainty regarding proper levels of preparedness leads to forestalled investments in safeguards as inter-connection expands exponentially’. Put another way, the amount of data and access to it is growing so much, but we don’t know what the scale of the threats are, which threatens paralysis. The World Economic Forum’s Partnering for Cyber Resilience suggests a ‘cyber value-at-risk model’. That offers a way to answer questions about cyber-attack, the report argues:
Who and why?
Addresses threat types executing the attack scenario in terms of target attractiveness
(encompassing threat motivations and exposed target characteristics)
What and how?
Addresses the type of attacks applied in terms of technical means and level of sophistication)
Where and when?
Addresses vulnerability as per a standard cyber resilience maturity level measure.
The report suggests this metaphor; that just as commuting to work involves ‘a small but statistically measurable risk of bodily harm, participating in the interconnected digital ecosystem involves adopting inherent residual and system risks’. Given that everything is ever more interconnected digitally, ‘even well-guarded participants face the threat of a cyber-attack. Beyond malicious hackers, cyber threats also encompass insider threats, breakdowns in trust, and faults due to negligence or ignorance.’ Hence the report seeks metrics, measuring cyber risk. It suggests looking in terms of vulnerability; your assets under threat (such as the SCADA systems that control industry such as an oil and gas terminal; some, though, intangible such as your brand’s reputation); and the profile of attackers (are they amateurs, or state-sponsored?). The report admits there are limits to the model. How attractive is a business to a hacker? How resilient is it to IT attack? At least the report makes the case for ‘a systematic, rather than patchwork response’. But if car insurers can do it – model their exposure to risk from drivers making claims – why not cyber security? “With the establishment of a common framework for quantifying cyber threats, comprehensive tracking of incidents and emerging risks can be engaged.” As the report says, it would take a ‘cyber-security tone from the top’, and the business knowing what its risk appetite is. Among those cyber and corporate figures working on the report were Malcom Stokes, head of operational risk – BT Security, at the UK-based telecoms company.
For the cyber resilience and other reports arising from the Davos January 2015 gathering visit www.weforum.org.
