Upcoming webinars: Join Us June 4th and June 13th to learn more about CRQ and the C-Risk training offer! Register now

Financial quantification of cyber risk is key to reduce your exposure to ransomware losses

In the fight against cyber threats, financial quantification of cyber risk (CRQ) is often overlooked whereas it is a powerful method to manage more effectively your cyber security. In this article, we will focus on a ransomware case.

The true financial cost of a ransomware incident is often far higher than the extortion payment alone. Here's how to gauge the true financial impact more effectively so you can target your Investment in security controls to manage your cyber risk.

Grégoire Paillas

An article from

Grégoire Paillas
Training Manager
Published
October 17, 2023
Updated
October 17, 2023
Reading time
minutes
financial quantification cyber risk

10 per day. This, according to the FBI's Internet Crime Report, is the amount of ransomware attacks reported globally – and many experts believe this figure underestimates the scale of the problem. This statistic takes on its full meaning next to the seven-figure sums often demanded and sometimes paid for victims' data to be decrypted, as in the cases of Colonial Pipeline or Brenntag.

But here's what you might not expect: the ransom is only a fraction of the true cost. Analysis by Check Point Research and Kovrr found that the extortion – when paid – accounted for just 15% of the total cost for victims.

This is where challenges can arise, because we’re dealing in approximations: financially speaking, calculating the cost of cyber events in general, including ransomware, is often very vague. Even the unfortunate victims find it difficult to put a true figure on their losses.

But there are three very good reasons to try to forecast these costs in advance of a possible incident, as it allows organisations to:

  • Understand the stakes involved
  • Evaluate the most suitable protection
  • Prioritise between available controls and mitigations.

In 2001, a CISO and a risk management expert created a methodology to answer these precise questions: how do I measure the risk I am exposed to and the return I will have on the money I spend mitigating it? This methodology is known as Factor Analysis of Information Risk, or FAIR™, and it uses cyber risk quantification (CRQ) to calculate financial loss due to information technology risk. In this article, we’ll share four key steps based on this model that will help reduce your exposure to financial loss from ransomware.

four-steps-reduce-financial-loss-ransomware

Transform how you model, measure, and manage cyber risk.

Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience with our risk-based CRQ Solutions.

Know what you're protecting

Step 1: A better understanding of your business

Before we try to anticipate any cost or loss, let's be pragmatic and focus on what is accurately definable and measurable: business as usual. Why? Because when time and budget are limited, we need to frame our analysis using a limited number of scenarios. When there is a limit there is also a prioritisation, which we determine by asking the following question: where is the most money to be lost? Or to put it another way, where can we maximise return on investment (ROI)?

The first sub-step is to land on between one and five key business assets (this number will vary depending on the size of your organisation). All key stakeholders may not agree on the answer to this essential question. But framing is the very foundation of the whole analysis, so we need to arrive at the final choice of assets through a shared view.

Second, you need to get a deep understanding of how these assets work and which mechanisms could lead to the loss of the data or service that make the asset valuable. Carrying out this analysis for every chosen asset should lead to listing assets/impact/threat triplets (see below). Basically, we have listed our most critical risks.

Ransomware is going to be the main theme of our example.
Our risk scenario is defined as follows:

  1. Asset: End user devices
  2. Impact: Unavailability of end user devices
  3. Threat: Cybercriminals

Now that we have a better understanding of what we need to protect, the next step is to evaluate the stakes. For every critical risk on your list, you need to build an accurate estimate of financial loss.

Calculate the potential losses

Step 2: Financial quantification of cyber risk

There are many ways to define risk; the most suitable definition for this kind of analysis is the probable frequency and probable magnitude of future loss. (Note: for this approach, we are using a risk model known as Factor Analysis of Information Risk, or FAIR™. This blog focuses on the methodology, key concepts and expected results. For a more detailed description of the FAIR methodology, I recommend you visit the FAIR website.)

For our definition of risk, we highlight two key concepts:

  • Frequency: how many times is a risk (loss event rather?) likely to occur in a particular timeframe?
  • Magnitude: when the risk (loss event rather) occurs, how big will the loss be?

Then, we need to detail the kinds of losses as well. We need to distinguish between primary loss – which the primary stakeholders incur from the event itself – and secondary loss, which refers to losses incurred due to the reactions of outside parties.

Instead of trying to quote a risk as a whole, this methodology helps to quote every component of the loss, where loss magnitude of a risk is the sum of every component.

Let's apply our risk scenario to a fictitious business. To keep it simple, we'll

focus on productivity costs, which could be quantified as follows:

Employees' loss of productivity is calculated using the following assumptions:

  1. 5% to 50% of 100 000 endpoints would be impacted
  2. Outage would last for between 2 and 14 days
  3. Outage would impact productivity by 20% to 50%

Lost revenue from sales is calculated using the following assumption:

  1. Outage would cause 0% to 5% quarterly revenue loss
  2. Productivity losses = employee loss of productivity + lost revenue from sales

We can gather the data by interviewing key stakeholders. You need to apply this breakdown of the problem to all loss types associated with a given risk scenario.

Obviously, the model is based on assumptions and therefore uncertainty remains. This is why you need to document any assumptions and show data in ranges, rather than discrete values. This way, the analyst – who may be internal or external to the organisation – can communicate how much uncertainty remains and can increase their confidence that the model is accurate.

This step has allowed us to build an estimate of the financial impact of a risk scenario. Next, we need to identify how to make this impact as low as possible by choosing the best controls for a given IT security budget.

Choose the most suitable security

Step 3: Assess efficiency to prioritise controls

The controls we deploy to mitigate risks work in two ways:

  • Reduce frequency: to lower the probability of loss occurring. (These might include detection and response, or protection controls like firewalls and multi-factor authentication [MFA], or awareness training.)
  • Reduce magnitude: to lose as little as possible (e.g., containment and mitigation actions, repairing reputation).

We advise focusing on only one risk at a time when making decisions about which controls to implement. Indeed, it's not always possible to compare the controls submitted for prioritisation as they may not apply (e.g., third-party management is a control but it would not be relevant to a fully internally managed perimeter).

The FAIR controls analytics model uses the terms ‘intended performance’ vs ‘operational performance’, which speak for themselves. The risk scenarios you think are mitigated thanks to your controls, may cause more harm than what you anticipated. A model without an operational feedback loop makes only limited sense.

Once you have listed the applicable controls, the internal or external analyst would draft scenarios of those controls packages. Ideally, you should end up needing to make a decision between two or three packages.

Then, carry out a cyber risk quantification for all package scenarios, to identify which one has the best ROI and/or provides the best risk reduction.

Let's pretend we estimated the loss for our ransomware risk scenario on a range between $7 million and $13 million. Then we defined two possible control packages and we face a decision.

Package 1: Prevent and Detect

Phishing awareness training + deploy endpoint detection and response tooling

Package 2: Respond

Contract insurance policy + Define and test Incident Response and Data recovery processes and tools

Package 1 would decrease the frequency of a loss event but have limited efficiency when a breach occurs, whereas Package 2 would only influence the magnitude of loss by responding to incidents when they occur.

Run one quantification for each possibility and calculate how much each package can reduce the most likely loss. Then challenge the loss reduction with implementation costs. This will result in a sound argument for choosing one package or the other.

If we take a step back, we just chosen a controls package based on accurate, tenable, documented financial data, and we have the means to justify ROI on deploying those controls.

Now, even with effective risk management in place, you may still get hit. So, the next step aims to avoid a potentially fatal blow to the business.

Minimise Impact to your business

Step 4: Avoid a K.O. if you get hit

20% of business owners say a cyberattack could force them out of business and this figure has risen since last year, according to a survey of more than 5,000 businesses in France, Germany, Spain, Belgium, the Netherlands, Ireland, the US, and the UK by the Insurance company Hiscox.

When the time comes that your business gets hit, it's better to be prepared and informed of the loss types and loss magnitude you face. It is best if you have anticipated these costs to try and reduce them as much as possible, while ensuring your firm can absorb such a loss.

This section does not focus on prioritising controls; instead it's about tackling the costs of the scenarios which have the highest impact. The pragmatic approach is the best here:

  • Choose risk scenarios with losses greater than your firm's capacity to absorb them, and/or risk scenarios with loss magnitude that seems too high
  • Identify the worst-case scenario in terms of loss for every risk scenario you choose
  • Identify the cost sources where 20% of effort can be turned into 80% results.

Let's return to our example. In most cases, for the scenario where end user devices have been encrypted with ransomware, the highest costs will originate from employees' loss of productivity and lost revenue from sales. As a reminder, these costs derive from the following assumptions:

  1. 5%-50% of 100,000 endpoints would be impacted
  2. Outage lasting between 2 and 14 days
  3. Productivity impacted by 20%-50%
  4. 0%-5% quarterly revenue loss

So, we want to focus on either:

  • Segment the network to limit percentage of impacted endpoints
  • Training on and testing recovery plans to limit outage duration
  • Improving resilience to limit impact on productivity and revenue.

As a result of this analysis, even if the controls you chose through your risk assessment end up being breached, you will lose as little as possible.

Conclusion

There are three key takeaways from this exercise:

  • Understanding and reducing the harm a threat could cause to your firm is complex. An efficient way to solve the problem is to split it into smaller problems, based on the scale of your firm to the number of assets involved. It boils down to achieving an efficient risk mitigation for your most valuable assets.
  • You will implement controls anyway, either before or after you are breached. Doing so beforehand helps you save fines, incident management costs, and project costs as securing by design is estimated to be 10 times cheaper than securing after the fact.
  • Measuring the performance of your controls is essential to gaining insight about how protected you are.

Do you know how much a ransomware incident would cost your business? Are you measuring the effectiveness of your cybersecurity investment? Contact us to find out more about our unique cyber risk quantification services.

In this article
Cyber Risk Quantification for better decision-making

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.