The thought of cyber-attacks has made some organizations increase their spending on resources to focus on improving awareness and the overall posture of data security. The question is how much does an organization want to spend to quantify the impact and risk of a cyber-attack?
At its annual meeting in January 2015, the World Economic Forum released an initial report to build a common framework to quantify the impact and risk associated with cyber-attacks. However, a tremendous amount of effort still needs to occur to unify a common approach. The World Economic Forum suggests using the value-at-risk mathematical function widely adopted by the financial services industry, which would help measure the tradeoff between value gained through investments and the potential risks assumed. The three main components factored in the value-at-risk model include: assets, the potential attacker, and vulnerabilities. As organizations focus on criminal-based motives, they also need to consider potential terrorism, espionage, and even warfare-led motives. This is an overwhelming thought for many organizations that are underfunded and unprepared.
The organization’s assets sit at the center of this value-at-risk model. Intangible assets, including privacy data, if stolen, could impact the organization’s reputation or brand; whereas, tangible assets, including infrastructure, systems and production, if compromised, could impact temporary or even long-term business operations. The financial impact of a potential security breach and possibility an organization could become a target is driven by the organization’s assets. The issue becomes calculating the costs of the assets and overall business to drive the risk acceptance.
The last component within the value-at-risk model is an organization’s vulnerabilities, which relate to the systems in place, the administrators and users of those systems who serve to protect the assets. The probability of a breach can not only be based upon the value of the assets targeted, but also by an adversary’s knowledge of an organization’s vulnerabilities.
By analyzing the connection between these three major components, organizations can better understand their unique risk posture. What is your organization doing to quantify the value and impact of potential breaches?
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.