10B Capturing Cyber Value-at-Risk : Towards a Model for Quantifying Cyber Risk presented at COSAC 2015

by Maarten Van Wieren,

Summary : “Know thy self, know thy enemy. A thousand battles, a thousand victories.” (Sun Tzu)
Due to an increasing number of cybersecurity breaches making the media headlines, cybersecurity has finally become a boardroom issue. However, up until this day, it remains difficult to measure and quantify cyber risks due to limited threat intelligence and rapidly evolving cyber threats.
The World Economic Forum acknowledges this difficulty in the paper they published earlier this year (“Towards the Quantification of Cyber Threats”), which describes a quantitative framework for cyber risks with the goal to enable organizations to measure and manage cyber risk, and reach and maintain the right level of security maturity in line with the business strategy.
In the project that will be presented for the first time at this conference, an attempt has been made to bring this theoretical framework to life. The focus of this talk will thus be on how the Cyber Value-a-Risk (VaR) methodology can be applied to real-life use cases, and how each of the model components uniquely contributes to the Cyber VaR outcome. Together, these components can form a Cyber Value-at-Risk dashboard to display the assets that are subject to risk, the threats that they are facing and the resulting loss exposure. Based on this dashboard, companies should be able to make an informed decision on what risks to mitigate, how much money to spend on mitigating them, and what risks to accept or transfer through cyber insurance.
In this talk, I will cover:
Each of the model components that make up the Cyber Value-at-Risk framework, and how they are represented by measurable parameters;
The unique interactions that take place between these model components to arrive at a single, quantitative outcome;
The challenges of this approach, that lie in the lack of quality data concerning attacker profiles and evolving attacks, and the complicated estimation of cyber asset value and risk exposure.
The model presented here is not intended to provide an exact dollar value in this stage of development, but rather a well-rounded assessment of the risk the organization is facing. It should facilitate boardroom deciders in creating a connection between strategic decisions, financial risk management and cyber risks. The ultimate goal of this project is thus to enable companies to focus on their core business and remove some of the barriers to safely be at the forefront of the digital realm.
The input of the audience will be appreciated in order to enable further improvements to the model, based on the many years of field experience of the conference attendees. The suggestion of nuances in the relations between model components or unexpected additional and/or confounding variables that change the output of equation, if any, would be highly beneficial to the accuracy of our final model.