Quantifying Cyber Risk
Quantifying cyber risk. What is it? The concept has its home in financial analysis and portfolio theory, but it’s become increasingly important to cyber security, particularly as business leaders come to understand cyber security as an exercise in risk management. Quantifying cyber risk has three components: vulnerabilities, assets, and adversaries (or threats). When you know the value of your risk, you understand your potential losses over a given period of time. Since so much of our business is transacted online, and since so much of what we value exists in the form of data (also accessible in cyberspace) know the value of your cyber risk is crucial to managing your enterprise. We spoke with experts in the security, insurance and legal sectors about quantifying cyber risk: how you determine it, what you do with it, and why it matters. Ben Beeson leads the Cyber Risk Practice at Lockton Companies. Eric Nordman is Director of Regulatory Services at NAIC, the national association of insurance commissioners. Julian Waits is CEO of Pivot Point Risk Analytics. Emily Mossburg is a principal on Deloitte’s Cyber Risk Services Leadership Team. Howard Feldman is a partner in the Baltimore office of law firm Whiteford Taylor and Preston. And Jack Jones is the originator of the risk management framework known as Factor Analysis of Information Risk, or FAIR, and he’s in charge of research and development at RiskLens.