In a world of limited resources there are always tradeoffs to be made: how much to invest here and how much there, how much risk to tolerate and how much to mitigate or insure against.
To answer those questions, risk quantification is necessary – to estimate how likely an outcome is to occur and more importantly, what will the cost be; translating complex real-world events into dollar figures that can enable rational decision making is critical to effective risk management.
Organizations understand this paradigm. Businesses, especially in financial services, are built on a foundation of assessing and comparing risk. But talk to a C-suite executive today, and you are likely to hear: “Cyber risk is one of our biggest concerns. We have experts who understand our systems and our data and who try to protect the organization.” We think the most common misconception about Cyber risk and Cyber attacks is the perception that these attacks are purely technical – machines attacking machines. In practice, attackers rely heavily on understanding of people, policies, and how a company is organized – people attacking people. A fully hardened server is hopeless in the face of an employee who is tricked into opening a door to an intruder. Therefore, often times the C-suite concludes: “In terms of quantifying risk, we are in the dark. We do not know our true Cyber exposure. We cannot manage Cyber risk properly because we cannot measure the risk. We do not know how to best invest in risk mitigation.”
Clearly, identifying and quantifying Cyber risk is different from quantifying “financial” risks (e.g., credit, market, etc.), and offers some unique challenges – especially the lack of data and the speed with which would-be attackers discover new vulnerabilities and devise new ways to exploit these vulnerabilities. To fully understand and quantify Cyber risk, one needs to understand technical and nontechnical avenues of attack.