The field guide to cyber risk quantification and ratings

In this guide:

• What is cyber risk quantification?
  • Approaches to cyber risk quantification
• How do I quantify cyber risk?
• What is a cybersecurity rating and how is it arrived at?
• How do I perform a cyber security risk assessment?

What is cyber risk quantification?

Cyber risk quantification measures and evaluates the financial and operational impact of possible cyber incidents. It’s an assessment of what losses could result from a cyber attack and assigning monetary values to them.

The goal is to provide organisations with a clear understanding of the potential financial impact of cyber incidents, and enough information to make informed decisions about risk management strategies, cybersecurity investments, and insurance coverage. By quantifying cyber risks, organisations can prioritise their resources, allocate budgets effectively, and communicate the potential impact to stakeholders.

Approaches to cyber risk quantification

A financial impact assessment involves estimating the financial losses that could result from a cyber incident. It takes into account factors such as the cost of response and recovery, business interruption, reputational damage, legal liabilities, and regulatory fines.

Probabilistic modelling uses statistical analysis and probability theory to assess the likelihood of different cyber events and their potential consequences. It accounts for things like the frequency of attacks, the effectiveness of existing controls, and the vulnerability of systems and data.

A scenario analysis is a way of developing hypothetical cyber-attack scenarios and evaluating their potential impact. It will help your organisation’s leadership to understand the range of possible outcomes and identify vulnerabilities that need to be addressed.

Risk aggregation consolidates individual cyber risks into a single, overall risk profile for your organisation. It considers the interdependencies between different systems, assets, and processes to provide a comprehensive view of the organisation’s cyber risk exposure.

Cyber risk quantification is a complex and evolving field. Your organisation will need to choose its methodologies and tools based on its own specific needs, industry, and risk appetite and review them regularly to keep pace with the rate of change. Your IT Security team should aim to provide stakeholders with quantitative insights that support effective risk management and mitigation strategies.

How do I quantify cyber risk?

You need to take a structured approach that combines qualitative and quantitative methods. There isn’t a one-size-fits-all approach, but most methods will involve the following steps:

Identify and classify assets

Start by identifying and categorising your organisation’s critical assets, including systems, applications, data, intellectual property, and infrastructure. Classify them based on their sensitivity and their importance to the organisation.

Identify and assess threats

What are the cyber threats that could target your assets? Consider those that are both external (hackers, malware, data breaches) and internal (negligent or disgruntled employees). Assess the likelihood and potential impact of each threat based on historical data, industry trends, and expert knowledge.

Assess vulnerabilities

What are the vulnerabilities and weaknesses in your systems and processes that could be exploited? This includes evaluating factors such as the effectiveness of security controls, patch management practices, and employee awareness. Assess the potential impact of exploiting each vulnerability.

Estimate likelihood and impact

Use a combination of expert judgment, historical data, and threat intelligence to estimate the likelihood and potential impact of different cyber events. This can be done through qualitative assessments (low, medium, high) or quantitative measures (like probabilities and impact scales).

Quantify financial impact

Include both your direct costs – fines, incident response, legal fees – and indirect costs (for example business interruption, reputational damage, loss of business). Consider the immediate and long-term financial effects.

Assign values to risk factors

A relative scale will rank your risks as low, medium, or high, while a numeric scale will generally organise them from 1 to 10.

Calculate risk exposure

Multiply the likelihood and impact values. This provides a measure of the risk severity or priority for each risk.

Prioritise and manage risks

Prioritise cyber risks based on their calculated risk exposure and other factors, such as strategic importance and available resources. Develop risk mitigation and management strategies for high-priority risks, including implementing controls, risk transfer mechanisms (for example, insurance), and incident response plans.

Review and update

Cyber risk constantly changes, so it’s important that you continuously review and update your risk quantification. As the threat landscape evolves, new vulnerabilities emerge, and your organisation’s assets and operations change. Reassess and update your risk assessments and quantification models accordingly.

Remember that cyber risk quantification is an ongoing process, and therefore requires ongoing monitoring, refinement, and adaptation to effectively manage the evolving cyber threat landscape. It can be beneficial to involve cross-functional teams, including cybersecurity professionals, risk management experts, and senior management.

What is a cybersecurity rating and how is it arrived at?

A cybersecurity rating, also known as a cyber risk rating or security score, is a measure of an organisation’s cybersecurity posture and its ability to protect against cyber threats. It provides an assessment of the organisation’s overall security controls, vulnerabilities, and potential risk exposure. Cybersecurity ratings are often provided by specialised third-party companies that evaluate and rate the cybersecurity of various organisations.

Each sector will have its own way of using security ratings.

An organisation’s security rating is decided after a thorough vetting process:

• Data collection: The cybersecurity rating provider will collect data about the organisation’s cybersecurity practices. This may include information from publicly available sources, such as regulatory filings, websites, and social media. The provider may also request additional data directly from the organisation (security policies, incident response plans, audit reports etc.).

• Evaluation of security controls: The provider will scrutinise the organisation’s security controls, including technical measures (firewalls, encryption, access controls), organisational practices (security policies, employee training), and risk management processes (vulnerability management, incident response). The evaluation may involve reviewing documentation, conducting interviews, and performing technical assessments.

• Vulnerability analysis: The rating provider scans the organisation’s systems and networks to identify vulnerabilities that could be exploited by cyber threats. This may involve automated vulnerability scans, penetration testing, or analysis of security logs. The findings are then compared against industry best practices and known vulnerabilities to assess the level of risk.

• Threat intelligence analysis: The rating provider considers external threat intelligence sources to assess the organisation’s exposure to current cyber threats. This includes analysing indicators of compromise (IoCs), emerging threat trends, and known attacks targeting similar organisations. The analysis helps determine the organisation’s susceptibility to specific threats and the effectiveness of its defences.

• Risk scoring and rating: Based on everything discovered about the organisation during the vetting process, the cybersecurity rating provider assigns a risk score or rating to the organisation. The rating may be presented on a numerical scale, letter grades, or descriptive levels (low, medium, high). The higher the rating or score, the greater the perceived cybersecurity risk.

It’s important to note that different cybersecurity rating providers may have their own methodologies and criteria. These methodologies may consider different factors and weightings, resulting in variations in the ratings provided. Therefore, it’s advisable to understand the specific methodology used by the rating provider and consider multiple sources of information when evaluating an organisation’s cybersecurity posture.

Cybersecurity ratings can be valuable for organisations to assess their own cybersecurity maturity, benchmark against industry peers, and make informed decisions regarding risk management and cybersecurity investments. They can also be used by third parties – clients, business partners, suppliers and so on – to evaluate the cybersecurity posture of an organisation before entering into a relationship with it. Insurers may use them to determine premiums.

How do I perform a cyber security risk assessment?

Remember that a cyber security risk assessment is an ongoing process, and it should be regularly reviewed and updated to account for changes in technology, threats, and business operations. It is also important to involve cross-functional teams, including IT, security, risk management, and senior management, to ensure a comprehensive and coordinated approach to managing cyber risks.

Achieving this is usually only possible with the help of a third-party provider and an automated process for capturing real-time information. For example, among other things we can help you to:

• Define the scope of your risk assessment, including the systems, networks, applications, data, and processes that will be evaluated, along with any specific regulations, industry standards, or compliance requirements that your organisation needs to meet.

• Identify potential cyber threats that could target your assets. This includes both external threats (hackers, malware, phishing) and internal threats (employee negligence, insider threats), with an eye to industry-specific threats and emerging trends.

• Identify vulnerabilities and weaknesses in your systems and processes that could be exploited.

• Assess the likelihood of threat actors exploiting your vulnerabilities and causing harm. 

• Evaluate the potential impact of a successful cyberattack on your organisation. This would consider both financial impacts (financial loss, operational disruptions, legal liabilities) and non-financial impacts (reputational damage, regulatory penalties, customer trust).

• Calculate the level of risk for each identified threat.

• Prioritise the identified risks based on their calculated risk levels, considering factors such as potential impact, likelihood, and available resources. This will allow you to focus on the risks that pose the greatest threat to your organisation.

• Document the findings of the risk assessment, including the identified risks, their associated risk levels, and the recommended mitigation strategies. We can generate reports on the results that will be easily understood by all relevant stakeholders, including management, IT teams, and other key personnel. This is important for gaining support and resourcing for all risk mitigation efforts.

• Continuously monitor and regularly review the effectiveness of your risk management strategies and your risk environment.