Introduction
Cyber attacks, data breaches and all their variations have gone mainstream. Only board members, top management teams and luddites who have been living under a rock for the past 20 years are not aware of cyber-attacks and the business headaches they introduce.
Knowing about the “cyber attack” bogeyman is one thing, but I wonder how many business leaders know what this means for their organization. In most cases the goal is not to show up in the Financial Times after a cyber attack, just ask the business leaders at Sony, JP Morgan and Maersk.
The reality is that most business leaders do not have the technical background to wrap their heads around the cyber jargon that cyber experts throw their way. Most boards hardly have anyone with general Information Technology or digital knowledge let alone cyber security knowledge. The winners: cyber consultants, vendors and cyber security software companies.
In fact, according to a Deloitte report in the Wall Street Journal, most CIOs (Chief Information Officers) struggle to answer key questions about cyber risk posed by executive teams.
Questions such as,
1. “how likely are we to experience a damaging attack?”,
2. “how effective are our existing cyber risk mitigation measures?”
3. “If we spend $20 million more on cyber risk mitigation, how much would that reduce our risk”.
If CIOS can’t effectively answer these questions as the experts, how then do we expect investors, shareholders and board members to understand and incorporate cyber risk into their strategy and investment decision-making processes?
Threat-based approach to cyber security
A prime reason why this could be the case is the prevailing approach to cyber risk management, which is a threat-based approach.
When analysing or assessing cyber risk the prevailing approach is a threat-based approach meaning that most organisations build up their cyber capabilities and capacity based on the perceived threat landscape. The general process of conducting a risk assessment looks at prevailing threats and internal vulnerabilities and the probability of those threats manifesting to compromise your information assets. This sounds logical and good on paper, however, this assumes your organization is capacitated by super cyber geniuses who have their finger on the pulse of an ever-changing cyber threat landscape. News flash, it’s not.
Half the job in doing qualitative cyber risk assessments is being a guru at thumb-sucking risk thresholds and “guestimating“ them into Low, Medium and High risk buckets.
When it comes to quantitative cyber risk assessments, unless your team is comprised of hybrid actuarial scientists, financial analysts and cyber gurus chances are you don’t have a definitive dollar number of what the harm caused by a known threat would be. This is something Insurance companies are currently struggling with when it comes to cyber insurance (Merck settles $1.4 billion cyberattack case against insurers). Their response is to tighten up the cyber jargon in their policies to avoid paying, essentially, you are on your own.
Challenges posed by threat-based approach to cyber risk management
This approach to cyber risk management introduces some problems.
The focus on threats and vulnerabilities introduces an organisational cyber risk lingua franca that is focused on threats. Meaning that the cyber security conversation is driven by threat language such as phishing, malware, ransomware, botnets, spear phishing, intrusion detection and other associated terms in defending against these threats. Not only does this alienate those who are not interested in cyber security but also focuses the organisation on the ever-moving and changing threat landscape.
Because cyber threats are consistently evolving, a threat-based approach means that the organisation is always approaching cyber events in a reactive rather than proactive nature. We have to wait till new threats emerge to figure out how to build defences against them. What happens when threats and threat types emerge so quickly that we can’t respond? Well, the answer has been demonstrated by Insurance companies refusing to pay for certain cyber claims, which organisations only found out after the fact. This means that certain cyber events are un-insurable (Risk managers warn cyber insurance could become ‘unviable product).
Focusing on threats and vulnerabilities to conduct risk assessments ignores the cascading effect of cyber harm, meaning that a risk assessment might identify the financial harm of data being breached but not account for the psychological harm caused to consumers if that data gets breached. This psychological harm erodes stakeholder value.
Establishing the true cost of a cyber event as well as the related investment in cyber security is difficult because the focus is on threats and preventing them from manifesting. If they don’t manifest is it because we spent enough on cyber security and what was the actual return on that investment? If they do manifest is it because we spent too little and also how much harm did they cause the organisation? A generally accepted metric of ROI on cyber security investments is operational resilience, keeping the lights on. But sometimes the lights are on but nobody is home.
This is why most CIOs can not confidently answer the questions posed by the board. Let’s not just lay this at the feet of CIOs and CISOs but generally, the board can’t answer these questions and at the end of the day they are ultimately responsible for protecting stakeholder value.
Cyber Harms: An Impact-based approach to Cyber Risk
A cyber harm (Agrafiotis et al., 2018) is defined as, the harm/damage that an organisation can experience from a successful cyber attack. The organisational financial harm caused by a cyber attack is well known but the lesser discussed are the Physical, Economic, Psychological, Reputational and Social/Societal harms caused to all stakeholders i.e. customers, suppliers, environment and community.
A taxonomy of Cyber harms
Agrafiotis et al. (2016) have come up with a taxonomy of cyber harms that can help to direct this conversation.
1. Physical/Digital Harms
Physical Harms of a cyber attack are the actual physical harm to infrastructure, digital systems and people that can occur. This includes the destruction, theft, and corruption of digital assets or the injury, loss of life and pain caused to individuals.
2. Economic
Economic harms look at the financial bottom-line harms that can be caused by a cyber event. This considers aspects such as a fall in share price, reduced profits, growth and investments, extortion payments and compensation payments.
3. Psychological
Psychological harm considers aspects such as confusion, discomfort, depression, embarrassment, frustration and guilt that are experienced by the organisation’s stakeholders after a cyber attack.
4. Reputational
Reputational harm considers elements such as damaged public perception, inability to hire desired staff, media scrutiny, reduced credit scores and reduced business opportunities that arise from the reputational damage caused by a cyber attack.
5. Social and Societal
Social and Societal harm considers harm caused to the general society at large that depends on an organisation’s services. These harms could be the disruption of daily life activities, negative impact on the nation and a drop of internal organisational morale.
Asset to Harm relationship
Instead of thinking of cyber risk in terms of threats and vulnerabilities that can affect your assets, a better approach is an impact-based approach. An impact-based approach focuses on your assets and the harm that can be caused to stakeholders if that asset is compromised.
Instead of analysing the threat-to-asset relationships to devise security controls, an impact-based approach analyses the asset-to-harm relationship to devise the relevant security controls.
Benefits of an Impact based approach to Cyber Risk
The impact-based approach of focusing on harms can potentially help us better answer the questions that we outlined above.
1. “how likely are we to experience a damaging attack?”
While this question seems to be focusing on the likelihood of an attack, the keyword is damaging. No one cares about attacks that do not cause damage (well, not, no one). By analysing the asset-to-harm relationships within the organisation we are better equipped to identify and quantify the “Damage” or harm that can be caused by a cyber attack. Without full knowledge of the extent of the damage/harms that can be caused by a cyber-attack it is harder to answer this question. A threat-based approach might be able to shed some light on the likelihood of an attack based on the security controls we have put in place against known cyber threats but won’t answer the rest of the question, what’s the potential damage? Which is the more important part of the question.
One could say, if we were to experience a cyber-attack, these are the potential first, second and third-order harms that we could incur and this is what we have done to manage those harms regardless of whether the attack is successful or not.
In this day and age, no one can confidently state the likelihood of an attack but you can at least state the harms you expect and what’s been done to manage them
2. “how effective are our existing cyber risk mitigation measures?”
By analysing the asset-to-harm relationship in devising security controls, an organisation is able to able to look at its assets devoid of any cyber threats and merely analyse the various harms that can be caused to stakeholders through that asset. This broadens the understanding of the harm that can be caused if that asset is compromised thereby allowing the organisation to be more precise in devising security controls and harm mitigation measures that are aimed and reducing or avoiding those harms.
A better way to answer the question of risk mitigation measures is, instead of pointing out potential threats and measures put in place to thwart those threats, consider talking about the assets and harms that have been identified and the mitigation measures implemented towards managing those harms.
For example, implementing ransomware protection and recovery software reduces the risk of a ransomware attack and improves recovery times in case of a successful attack. Which by itself is an effective mitigation measure against ransomware. However, this mitigation measure does not consider the psychological or physical harm that can be caused by a successful attack. This was the case in a US hospital that was attacked by ransomware, while the systems were recovered, patient deaths were recorded during that downtime (A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death)
A better mitigation measure would have asked, what harms can be caused if we lose our core hospital systems for 5 minutes, it would have been easy to identify the physical and psychological harms and perhaps build cyber risk mitigation measures that can manage those harms. This means considering the effectiveness of cyber risk mitigation measures in reducing or managing harm as opposed to their effectiveness in safeguarding against an ever-changing threat landscape.
3. “If we spend $20 million more on cyber risk mitigation, how much would that reduce our risk”.
By looking at this question through a threat lens, the $20 million can only be spent on implementing more mitigation measures against known threats and the bottomless pit of unknown threats.
But by analysing the asset-to-harm relationship organisations are forced to look at immediate harms as well as the second and third-order cascading harms that can be caused by a cyber event. For example, we can establish the cost of a 24-hour disruption to service, which in most cases is measured as financial harm but that harm can cascade into psychological or even physical harm to stakeholders. It is difficult to answer this question if one does not comprehend the extent of harm they face. A harms-based conversation changes the scope from infinite threats to finite harms which brings us closer to what the true cost of a cyber event could be and how much we should be spending on protecting those assets and stakeholders.
Conclusion
Yes, it is difficult to answer questions about the likelihood, damage and cost of a cyber-attack. Especially because most organisations are a step, or two, or ten behind the ever-changing threat landscape. However, an impact-based approach focussed on harm takes us out of the reactive mode and more into the proactive and adaptive mode which is what is required to combat these challenges.
Key References
Agrafiotis, I. et al. (2018) ‘A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate,’ Journal of Cybersecurity, 4(1). https://doi.org/10.1093/cybsec/tyy006.
Agrafiotis, I. et al. (2016) ‘Cyber Harm: Concepts, Taxonomy and Measurement,’ Social Science Research Network [Preprint]. https://doi.org/10.2139/ssrn.2828646.