Taylor Swift starts The Eras Tour this week, let’s hope in a happy ending to the frustration that fans suffered when tickets first went on sale through Ticketmaster’s online platform last November, and a crush of bots and unregistered users crashed the site. The news got us thinking – what advice would we give a ticketing company on how to reduce this kind of cyber risk?
With our Top Risk Workshop, we would start by helping the ticket company identify crown jewel assets (such as sales platforms or customer databases) and probable risk scenarios. We can safely assume that if their platform were to become unavailable for a certain amount of time, it would cause them quantifiable losses.
After identifying the crown jewel and associated loss scenarios we would then present the company’s top risks – one of them being an outage of their platform during a stadium concert tour sale/presale.
To gather data for our analysis, we would rely on the RiskLens platform’s data helpers and loss tables, pre-populated with targeted, re-usable data built around common risk scenarios and drawing on the internal data of the organization and data specific to their industry.
(The RiskLens data science team has built world-class libraries of curated data to power our enterprise SaaS platform, managed services and My Cyber Risk Benchmark Tool. See the RiskLens Annual Cyber Risk Report for more detail on our data research).
We are guided by Factor Analysis of Information Risk, the FAIR™ standard for modeling cyber risk in quantitative terms that specifies the factors we need to fill in with data to quantify the probable frequency and impact of loss events.
For instance, for this analysis, we entered data on
- Loss Event Frequency (once in about 8 years)
- Lost sales (a low number, as we figured the company would eventually sell the tickets after recovering from the system outage)
- Primary incident response costs (including wages and lost productivity based on industry norms)
- Secondary response costs (including legal fines and judgements, most likely at $10 million, based on the historic figures from RiskLens. This would be the single biggest cost factor in the analysis).
- And several other FAIR factors
The results generated by the RiskLens platform showed average $10.8M million loss per an event or $65.7K in average annualized loss exposure.
With this sort of analysis in hand, a company can see a baseline range of loss exposure and make informed technology investment decisions, starting with a decision on whether the probable loss exposure is beyond their risk tolerance. Let’s assume that’s a yes for our ticketing company, so we can move on to assessing mitigations.
Now let’s assume that our ticketing company is evaluating whether to develop a more stringent registered fan process to eliminate the number of scalpers and bots that hit the platform causing an outage. We assumed some relatively low-cost improvements such as gating entry to the site with a stronger registration process including multi-factor authentication.
We could then use the RiskLens platform to identify how much this option would reduce the risk (average annualized loss exposure of $65.7K).
As you can see in these charts generated by the RiskLens platform, we were able to show that this process improvement would reduce the average annualized risk by over 99% and that the overall ROI is roughly $4 in risk reduced per dollar spent. Therefore, arguably the company could have prioritized this risk mitigation initiative ahead of any actual losses.
With quantification, the guidance is there for anyone needing justification for an important spending effort. The company can go from responding to issues to planning and avoiding losses. With proper risk planning through cyber risk quantification, an organization can avoid disasters and prioritize risk spending for years to come.
Author Jackie Lebo is a Senior Risk Consultant for RiskLens. Learn about professional services at RiskLens.
RiskLens offers quantitative cyber risk management solutions built on the FAIR™ standard. Leverage RiskLens to understand your cyber risks in financial terms. Contact us to learn more.