Unprecedented Accuracy on Data Breach Costs from RiskLens Data Science – Presentation to SIRA

June 23, 2022  Jeff B. Copeland

Justin Theriot - Data Scientist - RiskLensRiskLens Data Science Manager Justin Theriot will present a research paper to the Society of Information Risk Analysts (SIRA) that’s a window into the advanced data science work going on at RiskLens to offer unprecedented accuracy on data breach costs to inform quantitative cyber risk analysis.

Register to attend Justin’s SIRA presentation online, Friday, June 24, 2022, 11:00 AM PDT: Does Decomposing Losses Improve Our Understanding of the Financial Impact of Data Breaches? Admission is free, organization membership not required. 

Advanced Capabilities of RiskLens Data Science

As Justin will discuss, previous modeling of the financial impact of a data breach has focused on the total loss amount.  RiskLens analysis goes deeper by quantifying the components of loss exposure based on Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification that’s the foundation of RiskLens risk analytics.

FAIR Model - Short VersionDetail of the FAIR model

In their latest work, Justin and team analyzed 18,000 unique cyber events, splitting their financial losses into three FAIR categories (Primary and Secondary Response Costs and Fines & Judgments) composed of six forms of loss: productivity, incident response, replacement cost, competitive advantage, fines/judgements, and reputation. 

The researchers also examined the data from the viewpoints of seven variables: number of records breached, company revenue, region (European Union vs. North America), external or external threat, error or malicious threat, data type and industry. And they applied four different analytical models as a reality check; previous data analyses have applied just one.

The goal of all this applied science: 1) The highest level of accuracy for the top-line loss numbers 2) the deepest insight into forms of probable loss so cyber defenders can target controls, mitigation, or insurance with the most cost efficiency -- for instance, for a healthcare organization with a certain number and type of records, a certain level of revenue, etc.

Data Science in Action with the RiskLens Enterprise Platform and My Cyber Risk Benchmark Tool

Users of the RiskLens Enterprise platform for quantitative cyber risk analysis have the benefits of RiskLens data science built in, with pre-packaged data specific to their industry, size and the other variables, ready to plug and play in risk analysis. So do the customers of RiskLens Pro, the managed service, with RiskLens consultants running the analyses on the platform.

Now, any organization can take advantage of RiskLens curated data with My Cyber Risk Benchmark, an easy-to-use tool to quantify cyber risk and present it in terms the business understands. Quickly generate reports showing loss exposure in financial terms across the seven most common risk categories (ransomware, DDoS, etc.), tailored to the organization’s industry, geography, etc. Try it for free now.

desktop-insiderMisuse-benchmark-1RiskLens My Cyber Risk Benchmark report

Insights into Cyber Risk from RiskLens Data Science 

Increased granularity of data analysis yields a complex picture of cyber risk with many non-intuitive findings:

  • Primary Response Cost (PRC) increases by 5% per 10% increase in the number of records breached, while Fines and Judgement (F&J) increases by 2%.
  • Events involving PHI data are twice as likely to incur F&J.
  • An external threat actor could cause PRC to be up to four times more expensive and increase F&J by 52% but is associated with reducing Secondary Response Cost (SRC) by 42%.
  • F&J are 95% less likely to occur in North America than in the European Union but are 2.75 times more costly when they occur.
  • The industry impacts the probability of SRC occurring to a varying degree, with accommodation, finance, information, public sector, and retail seeing a 60% to 190% increase.

Looking Forward

This level of advanced analysis of cyber loss sets a high bar for the cybersecurity profession. As Justin says, “understanding the financial impact after an event is the first step to understanding how controls reduce a firm’s risk exposure – and that’s our big research push.”