The thought of cyber-attacks has made some organizations increase their spending on resources to focus on improving awareness and the overall posture of data security. The question is how much does an organization want to spend to quantify the impact and risk of a cyber-attack?
At its annual meeting in January 2015, the World Economic Forum released an initial report to build a common framework to quantify the impact and risk associated with cyber-attacks. However, a tremendous amount of effort still needs to occur to unify a common approach. The World Economic Forum suggests using the value-at-risk mathematical function widely adopted by the financial services industry, which would help measure the tradeoff between value gained through investments and the potential risks assumed. The three main components factored in the value-at-risk model include: assets, the potential attacker, and vulnerabilities. As organizations focus on criminal-based motives, they also need to consider potential terrorism, espionage, and even warfare-led motives. This is an overwhelming thought for many organizations that are underfunded and unprepared.
The organization’s assets sit at the center of this value-at-risk model. Intangible assets, including privacy data, if stolen, could impact the organization’s reputation or brand; whereas, tangible assets, including infrastructure, systems and production, if compromised, could impact temporary or even long-term business operations. The financial impact of a potential security breach and possibility an organization could become a target is driven by the organization’s assets. The issue becomes calculating the costs of the assets and overall business to drive the risk acceptance.
The last component within the value-at-risk model is an organization’s vulnerabilities, which relate to the systems in place, the administrators and users of those systems who serve to protect the assets. The probability of a breach can not only be based upon the value of the assets targeted, but also by an adversary’s knowledge of an organization’s vulnerabilities.
By analyzing the connection between these three major components, organizations can better understand their unique risk posture. What is your organization doing to quantify the value and impact of potential breaches?
Contact us if you would like to learn more about cybersecurity and how Schneider Downs can help your organization and visit the Cybersecurity blog for other articles pertaining to protecting your organization.