Updated: Feb 10
Risk is inherent to the enterprise world but difficult to assess and measure. In particular Cyber risk, which keep increasing despite IT security budget augmentation. In order to decide on which IT controls they should funnel resources and expertise, enterprises need to quantify cyber risk in financial terms.
Discussions about risk are always difficult in a world of miscalculated risk. And more so in the enterprise when the definition of the word entrepreneur shows that risk is actually inherent to the nature of the enterprise world.
Indeed, when proposing their services or products to the market, all organisations figure in more or less reliable ways their risk/reward ratio (cf: Airbus CFO Hans Peter Ring on pricing risk) in order to weight their odds of success. No risk taking means no or little reward. That is why Enterprise Risk Experts like James Lam and others have long advocated the use of risk-adjusted ratio to measure profitability (i.e. performance) of an organisation rather than the standard ROA (return on Assets).
Today, organisations face a formidable new set of risks with cyber risks. As Ginny Rometty explained in 2015, if data is the new natural resource in the era of the data economy, "then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.” As a result, cyber security investments keep soaring, fuelled by vendor hype and ever more media exposure . While some may argue that with increased maturity, investment growth will eventually slow down, Gartner and other analysts continue to report on rapid growth of investments in security solutions in 2018 - 19 (+8,7% YoY).
Yet, despite increasing budget, companies are dealing with on-going cyber attacks (including a growing number of successful ones) and struggle to find and properly use their human and financial resources to resist.
In the past few years, Enterprise have improved their risk management using frameworks like NIST, ISO 27005, EBIOS and others. But while helpful in guiding the set-up of a risk management program, those standards remain non prescriptive in the quantification of risk. As a consequence, many companies still focus on being compliant with best practices rather than measure (ie quantify) which IT controls are effectively most relevant to their situation.
According to Gartner, that is changing and the analysts advise to put the emphasis back onto risk and transition from Governance, Risk and Compliance (GRC with its heavy emphasis on compliance) to Integrated Risk Management (IRM which puts back risk in the limelight). In parallel, more new regulations like GDPR and CCPA keep on putting pressure on Security and Risk Manager to explain, in financial terms, to their business leaders how much risk they have and how much less they will have as a consequence of further cybersecurity investments.
That is precisely what cyber risk quantification and the now well established FAIR Standard (Factor Analysis of Information Risk) are all about : helping make decisions about cyber security by presenting more objective and defendable information to link business goals and risk remediation plans. It's about "inform[ing] stakeholders and partners of the organisation's intentions when taking on risk".
Douglas Hubbard in his book “How to Measure anything” and Jack Jones in his book “Measuring and Managing Information Risk” both remind us that a real decision is characterised by several properties: an alternative between at least 2 options; a degree of uncertainty between those choices and a negative consequence if and when the wrong option is chosen. Thus, for the most important decisions, measures and quantification exist to decrease the level of uncertainty to a point where the decision maker feels confident he can make an enlighten choice. In the context of cyber security, it's critical that an organisation may decide, based on cyber risk financial quantification, whether it is investing enough and on the right cybersecurity controls.