How the Public Sector Can Assess Cyber Risk in Financial Terms — Jack Freund in ISACA Blog

August 13, 2019  Jeff B. Copeland

While the value of cyber risk quantification (CRQ) for prioritizing security investments is increasingly clear to private industry, in the government sector, profit and loss aren’t the drivers. How can government infosecurity teams put a financial value on public service — even saving lives — to gain the benefits of CRQ?

RiskLens Risk Science Director, Dr. Jack Freund, answers the question in a post just published on the ISACA blog: Assessing Public Sector Cyber Risk.

In fact, Jack points out, public agencies may already have the knowledge and the data they need.

  •  The Value of Statistical Life or VSL is a concept in use at the US Department of Transportation, FDA, EPA and various public health plans to set a value on a member of the public, a client in effect, for purposes of budgeting investments based on anticipated outcomes.
  • As recent ransomware attacks on city governments in Baltimore, Atlanta and elsewhere have shown, it is all too possible to put a cost on city services going down, from lost revenue on unpaid parking tickets to cancelled flights at the municipal airport.

“When we consider how much citizens rely on their government’s providing basic services and critical infrastructure, it is imperative that we endeavor to accurately reflect the economic impact of the failure of these services,” Jack writes. “…Not providing accurate valuations of the impact on human life will result in a misallocation of resources at best, and unnecessary loss of life at worst.”

The future has already arrived at the U.S. Department of Energy.  Deputy CISO Greg Sisson recently told an industry gathering that he’s not investing in new security technology till he’s set a strategic direction with FAIR cyber risk quantification analysis (Jack covered that development in an article for Homeland Security Today.) With federal directives pushing a “risk-based” approach to cybersecurity–and U.S. agencies consistently failing to meet that standard, as a recent report from the General Accounting Office found–expect to see government officials solving the equation for cyber risk quantification on a widespread basis soon.