For cyber resilience assurance to be effective, a concerted effort among ecosystem participants is required to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk. A shared approach to modelling would increase confidence regarding organizational decisions to invest (for risk reduction), distribute, offload and/or retain cyber threat risks. Implicit is the notion that standardizing and quantifying such measures is a prerequisite for the desirable development and smooth operation of cyber risk transfer markets. Such developments require ERM frameworks to merge with insurance and financial valuation perspectives on cyber resilience metrics.
To pursue the goal of a shared cyber risk quantification approach, members of the initiative have framed the cyber value-at-risk concept. Envisioned to transcend traditional investment value at risk, cyber value-at-risk seeks to unify technical, behavioural and economic factors from both internal (enterprise) and external (systemic) perspectives. Understanding that organizations have different needs depending on factors such as the maturity of their security environment or the industry and sector they pertain to, the goal is not to provide a single model for quantifying risk. This report will identify key components towards a framework to cyber risk modelling and qualifying and quantifying known vulnerabilities in defenses, while providing macro-systemic guidance.
For organizations and industry stakeholders to be better positioned to make sound investment and risk mitigation decisions, they need to be able to quantify cyber risk. This can be achieved by a three-folded approach:
— Understand the key cyber risk drivers (or components) required for modeling cyber risks
— Understand the dependences between these components that can be embedded in a quantification model
— Understand ways to incorporate cyber risk quantification into enterprise risk management
While there is no ideal model that initiative members would unilaterally support, they encourage companies and industries to measure and work towards better quantification of cyber risks. The key components identified in the cyber value-atrisk model concept are:
— Existing vulnerabilities and defense maturity of an organization
— Value of the assets
— Profile of an attacker
This report summarizes the goals and activities of the initiative, the history and status of the initiative and key cyber value-at-risk concept foundations. It describes various possible components of the cyber value-at-risk framework, remaining challenges in moving towards more robust cyber risks quantification, and suggested next steps.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program