While the value of cyber risk quantification (CRQ) for prioritizing security investments is increasingly clear to private industry, in the government sector, profit and loss aren’t the drivers. How can government infosecurity teams put a financial value on public service — even saving lives — to gain the benefits of CRQ?
RiskLens Risk Science Director, Dr. Jack Freund, answers the question in a post just published on the ISACA blog: Assessing Public Sector Cyber Risk.
In fact, Jack points out, public agencies may already have the knowledge and the data they need.
“When we consider how much citizens rely on their government’s providing basic services and critical infrastructure, it is imperative that we endeavor to accurately reflect the economic impact of the failure of these services,” Jack writes. “…Not providing accurate valuations of the impact on human life will result in a misallocation of resources at best, and unnecessary loss of life at worst.”
The future has already arrived at the U.S. Department of Energy. Deputy CISO Greg Sisson recently told an industry gathering that he’s not investing in new security technology till he’s set a strategic direction with FAIR cyber risk quantification analysis (Jack covered that development in an article for Homeland Security Today.) With federal directives pushing a “risk-based” approach to cybersecurity–and U.S. agencies consistently failing to meet that standard, as a recent report from the General Accounting Office found–expect to see government officials solving the equation for cyber risk quantification on a widespread basis soon.