Stronger 2021 Building the Blocks to Quantify Cyber Risks - Prof hernan huwyler
0 likes134 views
The document discusses the critical components and methodologies for quantifying cyber risks, emphasizing the importance of good data for effective business impact assessments. It outlines various statistical analyses, risk modeling techniques, and simulation methods such as Monte Carlo to estimate financial impacts and improve decision-making. The author warns against oversimplified risk communication approaches, advocating for more precise tools to assess and convey cyber risk accurately.
Stronger 2021 Building the Blocks to Quantify Cyber Risks - Prof hernan huwyler
- 1. Building the blocks to quantify cyber risks Prof. Hernan Huwyler, MBA CPA #STRONGER2021
- 2. 01 Data to performance Business impact assessments Statistical analysis 02 03 04 05 06 Risk modeling Quantification Communication
- 3. Data to Performance You need to obtain good data to quantify your cyber security risks Good data will help you to decide priorities and investments today to maximize the performance tomorrow
- 4. Business impact assessment You need to assess the financial impact on the confidentiality, integrity and availability objectives if a cyber risk materializes The financial impact should be broken down into number of records, affected parties and downtime hours
- 5. Business impact assessment Confidentiality Integrity Availability IT Asset IT Process IT Service Record . Cost Record . Cost Downtime . Cost You can model multiple scenarios with their own distribution Triangular Lognormal Discrete Uniform Paretto Normal
- 6. Business impact assessment Profitability losses of potential and current clients Regulatory fines IP and competitive losses Cost of changing the CISO Secondary impact Downtime costs Notification and response costs Damage on IT assets Contractual penalties Fraud losses Primary impact
- 7. Statistical analysis You can use external data by adjusting significant variances between industries, geographies, organization sizes, and business models for your organization
- 8. Statistical analysis Threat attacks statistics • Budget vs. actual by project • Incident database • Fraud and social engineering • Penetration testing findings • Discovered security vulnerabilities • Malware logs
- 9. Statistical analysis Threat attacks statistics • KPIs for SLAs and outsourcing contracts • Ongoing due diligence results • Lost and early disposed IT assets • Maintenance analysis
- 10. Stadistical analysis Threat attacks statistics • Data loss prevention logs • Help desk analysis on IT issues • API gateway protection logs
- 11. Model backtesting You can measure the impact of risk incidents and compare plans against actual outcomes to improve your risk data and use regression‐based methods
- 12. Quantification
- 13. Risk modeling Prevent data coctaiks Objective centric Template in native MS Excel Simple Address multiple scenerarios Uncertainty Compare with cyber insurance, investments and control costs Decision- centric
- 14. Scoring and data cocktails If you assess cyber risks using scores or data cocktails with useless formulas for inherent risks, general data and control efficiency scores disconnected from the concrete objectives for the IT assets, you are just wasting time and inciting wrong decision making
- 15. Monte Carlo Simulation Min Max Confidence Interval Loss USD Nr Cases
- 16. Monte Carlo Simulation Confidence Interval Standard Error 80% 2.56 90% 3.29 95% 3.92 99% 5.15 z*-value*2 2 Ln (Max) + Ln (Min) Standard Error P(A), μ = , σ = Ln Single Loss USD = Ln (Max) - Ln (Min) =LOGNORM.INV(RAND(),(LN(Max)+LN(Min))/2,(LN( Max)-LN(Min))/standard error),0)
- 17. Monte Carlo Simulation Single Loss Estimation Tool https://shorturl.at/iCFHI
- 18. Communicating
- 19. Heat maps and risk matrices If you assess and communicate your cyber risks with colors and adjectives, you are just committing malpractice and creating liabilities for your organization
- 20. Loss exceedance curve Loss USD 0.001 0.1 10 0% 25% 50% 75% 100% Loss chance 5% 95% .001 .01 .1 1 10 100
- 21. Tornado chart Expected cost USD Error in use Ransomware Misconfiguration Phishing -50 0 50 100
- 22. Histogram Expected cost USD 0 10% 20% Density 0 50 100 200 300