If you’re following the news on cybersecurity – and it’s hard to miss these days – you may have the impression that cyber risks are coming from all directions in a wide variety of shapes, sizes and nastiness. You may have read about “risks” such as the cloud, weak passwords, cybercriminals, sensitive consumer information and many more.
In fact, none of these are risks – they’re environments (the cloud), controls failures (weak passwords) threats (cybercriminals), assets (consumer information) – but not risks in a definition that business leaders would understand, as events that cause a loss you can put a cost on.
Thinking about Risk in Loss Event Scenarios
At RiskLens, we’ve built our risk analytics platform on Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk analysis with quantification.
FAIR teaches us that a risk (or loss event) can only be analyzed as a scenario, with a threat actor impacting an asset by some means resulting in some effect (on Confidentiality, Integrity, Availability).
Here’s a scenario:
“Analyze the impact associated with malicious external actors breaching the confidentiality of sensitive company data accessible on a lost/stolen mobile device.”
Scenario in hand, we can gather data to quantify the various factors (FAIR identifies them) that will together tell us the frequency (for instance, how often are we likely to suffer breaches) and the magnitude (for instance, what are breaches likely to cost us) of an event.
Applying FAIR analysis (and Monte Carlo simulation), we can generate a range of probable outcomes in dollar terms for any loss event. (NOTE: FAIR is an open standard, RiskLens makes FAIR analysis practical for business, using proprietary algorithms developed with the creator of FAIR, Jack Jones.)
Sign Up Is Now Open for Upcoming Webinar: CRQ for All: Introducing My Cyber Risk Benchmark
Risk Scenarios Fall into Seven Categories
Just as scenarios focus our data gathering and analysis on specific, quantifiable risks, we can aggregate risk scenarios to generate insights into broad categories of risks, highly useful for benchmarking any organization’s risk posture against peers in its industry.
The RiskLens data science team crunched the numbers on a vast collection of over nine million scenarios covering a huge range of data inputs and analysis outcomes and sorted by industry. They found that virtually all cyber risk scenarios could be grouped into one of seven categories.
Malware-based attack designed to pressure a company to pay a ransom by encrypting and withholding access to systems or files, and furthering extorting the victim by threatening to make public sensitive information. An apparent ransomware attack may also be a cover for “wiper” malware intended purely for destruction of data and systems.
2. Insider Error
Misconfigurations, failure to renew expired certificates, improper publishing and other errors by staff members can have damaging consequences to the bottom line.
3. Insider Privilege Abuse
Whether it is the intentional and malicious disclosure or modification of sensitive data or a logic bomb taking down the network, your most trusted employees can cause significant loss to the company by sabotage.
4. System Intrusion
Through code exploitation or good old fashioned brute force password guessing, a bad actor gets a foothold in your network and can access your most sensitive assets, resulting in a data breach, business interruption or other perils. This category does not include ransomware or social engineering-based attacks.
5. Social Engineering
Tricking insiders into sharing confidential or personal information or making a payment, often through an email that appears to come from a friend, a well-known brand or business partner, possibly resulting in data breach or business interruption if an attacker gains entry to the network.
6. Web Application Attacks
Compromise of a web application via brute force or code exploitation to create business interruption or data breach, or possibly gain a foothold to target critical assets.
7. Denial of Service
Attackers flood the victim’s system with traffic, making it unavailable and leading to business interruption.
Return to your report here
Haven't signed up yet?
Sign Up for Your FREE Industry Cyber Risk Report