The Economic Side Of Cyber Security Risk Management
Translating cyber metrics into economic outputs for better informed risk management
Robert (Bob) Vescio is the Chief Analytics Officer of Secure Systems Innovation Corporation, and he is recognized as one of the industry's foremost experts in the area of cyber risk economics. He joined Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies; and Co-hosts Tom Pageler Chief Security Officer of BitGo, Inc. and Andy Bonillo, VP & CISO of Ciena, on Monday night for episode #80 of TF 7 Radio.
Bringing more than 20 years of experience to this role at SSIC, Vescio is responsible for the creation and development of X-Analytics, the company’s proprietary, patented method for measuring and modeling cyber risk. Previously, Vescio served as the Global Director of Verizon's Advanced Security Services, Verizon's Security Management Programs, and Verizon's MSS Client Services team. In his tenure, he was responsible for pre-sale support, product management, service delivery, and operations, quality and assurance risk modeling, and executive sponsorship.
Biggest Gap Within Cyber Risk Management
Rettas kicked off the show by asking “what is the biggest weakness or gap within cyber risk management that you see in the industry today?”
For Vescio it's that risk management is usually outside of cyber and usually translates back to things that are financial: For example, the financial risk that you're taking on while buying a piece of property or making a trade. “And what I find is interesting with cyber is that we tend to talk about risk management, but we never bring up the economics,” he said. “And so for me, and for other executives and board members that I speak with, I think we would all agree that if we could start translating cyber metrics, cyber risk metrics, into economic outputs, then better informed risk management decisions could be made at the executive and board level, which right now seems to be a very big leap from the current metrics to what the board and executives are expecting at the end of the day.”
Rettas agreed, “I think it's hard enough just to get people to think about things from a risk-based perspective and prioritize risk in their strategy.” He said that even when we talk about vulnerabilities and how people prioritize the risk and the whole process — and then you get into operations — “I just don't think that a lot of people out there understand, at least in the cyber security space … because you need all these different skill sets. I think, when it comes to not only the measuring the risk, prioritizing the risk, and then executing on that, and where do you get the biggest bang for your buck?”
What CISOs Want To Know About The Economics Of Cyber Risk
So Rettas asked, “What do you think executives and boards want to know about cyber risk when they talk to the CISOs of these organizations?”
According to Vescio, it boils down to two components:
- They’d like to understand on an annual basis how much loss should be expected from cyber incidents or cyber peril. This could be related to data breaches, ransomware, denial of service interruption, etc.
“Ultimately I think that if they could take all of the vulnerability metrics, and incident response metrics, and other metrics that are typical, and translate that into some expected value (we expect to lose $13 million or $15 million or $20 million on an annual basis due to cyber incidents), I think that's one big question that they're looking for an answer to,” Vescio said.
- When something bad happens, then what does that really mean to our organization? What does it mean in direct costs, and indirect costs and opportunity costs like brand damage? And are we talking about something that is catastrophic as in we could lose our entire business, or something that's highly damaging as in it could be worth hundreds of millions, if not billions, of dollars in damage to our organization, or something even less than that?
Vescio added, “So the first part is what is the annual expected loss? And the other part is when something bad happens, what does that damage look like? Then I think we'd be solving a huge part of the equation for the executives.”
Based on Vescio’s experience in talking with executives and boards, somewhere around 1% or less of annual revenue starts to create a comfort level where they can absorb that loss on an annual basis. No different than say Target realizes they're going to have shoplifters in their stores, and they just absorb that loss in some capacity.
And so if you can get to that place where they understand what that comfortable place is to absorb the annual expected loss, then Vescio said that it does start to change those conversations. Do we really need to patch that vulnerability? Do we need to really implement that new firewall, or intrusion protection device, or whatever else it happens to be?
“And I think as you put the economics together, you could start making ROI, return on investment- based decisions. And where there is an upside down return on investment, you can decide let's just put the brakes on and not move forward, or maybe it might be better to try to transfer that risk to something else, say like a separate insurance policy that represents a better return on investment,” he said.
The Dollar Value of Cyber Incidents
The panel next discussed putting a dollar value on certain cyber incidents, which Rettas and Vescio both find valuable. They find that there are enough data points out there that allow for building distinct ranges. So for example, if an incident of similar type were going to happen to our organization, it could cost us somewhere between X and Y.
Vescio said that those who believe there isn’t enough data end up using it as an excuse to fall back on traditional metrics to try and build a subjective story versus an economics story on why something should be done inside an organization — again whether that’s patching or buying a new product, service, etc. Organizations can start classifying incidents in distinct categories. Ransomware would be a category, denial of service interruption would be a category, data breach, for example, could be another category. And for each of those, you could build out an understanding of what those impact amounts would be.
“Of course, each of those would have to have some sort of scale related to it, so if you're talking data breach, the volume of records and the type of records would relate to that scale, and you would have to consider that as a variable,” explained Vescio. “If you're taking about, say, something like denial of service interruption, then there's a time element that's a scale. You talking 30 minutes, one hour, four hours, eight hours, 24 hours? And as long as you put those corresponding variables into those categories, then George, directly to your point, you can build out a much better understanding of what those damages could look like at the end of day.”
Rettas responded, “I think you and I are in the minority when it comes to the industry as a whole … if I put us in the room with a bunch of people who are on the security and governance teams from each one of the, maybe the top 50 companies in the United States, I think you're going to get an opposite answer.”
While Vescio noted that CISOs are starting to shift their conversations to financial impact rather than gut feel, the shift is happening slowly. However, both agree that it will change the entire dynamic for the CISO that currently operates today.
See Related: “Security Control Gaps Are Not Risks”
Pageler added, “One of the big changes at Carnegie Mellon is they're offering both a Chief Risk Officer and a Chief Information Security Officer. So I think what they're trying to do is really teach that as a separate subject as in quantifying risk, looking at like ISO27001, making sure you have robust risk registries. And I think what they're trying to do is make sure the CISOs are now speaking the same language as everybody else so when you do a return on security investment, sometimes the CFO doesn't understand it, and so what they're trying to do is make them more business aware ... the idea with the Chief Risk Officer, they're encouraging CISOs to report in to CROs, so you're taking a risk-based approach to everything.”
The reason for shifting to this point for Pageler is he believes that what’s more important now is understanding budgets, understanding impact to all lines of business, and what’s even more important is now looking at a risk register and saying, “Okay, how do we quantify a cyber risk vs. a business risk vs. a physical security risk vs. whatever?" So they rank the risk. And then you can holistically look at the entire company and say, "All right, what is the cost of this?" instead of trying to say, "Here's my return on security investment for one thing. Here's the total budget we have. Here are our top risks to the company. Here's how all lines of business, everybody understand it. And here's who's going to pay for what and how we tackle it all together." According to Pageler, “I think they're looking at it broader, more holistic. Not that they don't teach that part, it's just not as prevalent as it used to be.”
“If you think about it, the cyber insurance industry as a whole is already putting a dollar amount on cyber risk,” said Vescio. “And so whether their approach is right or wrong, they're already taking an attempt at putting an economic or a financial value on what an incident would cost.”
Cyber Economics To Transform Risk Management
Vescio brought up that the SEC put out some guidelines last year, and those guidelines are already sort of branded as guideline, so it's optional, but there's an expectation there. Those guidelines are already in the concept of that shift to cyber economics. So they're asking organizations to understand if they were to have an impact, what would that impact look like?
Additionally, if an incident were to happen (say a data breach) then they have a responsibility back to the shareholders to talk about what those damages are back to their shareholders and say things like quarterly earning reports.
“So, I think the SEC is going to help with that shift based on those guidelines that they put out last year, and I would expect that as we continue down this journey and there's more and more publicly traded organizations get impacted by cyber incidents, the shareholders feel the brunt of that in some capacity potentially, right? That may force that shift to move a little bit faster than just say something that's just a cultural shift inside of organizations,” Vescio added.
As cyber economics is understood within organizations, then the approach is going to become more of an ROI, return on investment approach in making decisions, which is really where mature risk management lies. “I do think that organizations based on ROI analysis and ROI simulators are going to start to understand where remediation makes sense,” Vescio said. “Maybe you remediate certain vulnerabilities with certain assets, but not necessarily all assets. I think it's going to allow them to push back against certain regulation or compliance requirements, especially if they can prove back to the regulator or the auditor that certain controls just do not make sense for that particular organization and it does represent an upside-down return on investment.”
And then finally, Vescio does think it's going to also encourage growth in the separate insurance industry. “I think as we see that shift, more and more organizations are going to realize that they can get a better ROI, pennies on the dollar so to speak, by moving some of that risk via a transfer vs. remediation to things like cyber insurance policies. And obviously I know that there's some concerns there with the limits, but I think as those shifts start to occur in a greater population, then I think those limits are also going to open up to allow organizations to buy even bigger and bigger cyber insurance policies that can protect them for future catastrophic events down the road.”
The Data Behind Cyber Economics
Vescio next talked about X-Analytics, which is a cyber risk method of model he developed that allows organizations to understand not only cyber risk in traditional terms — like threat, impact, control effectiveness, inherent risk and residual risk — but in addition to that, it also goes the step further and translates residual risk into financial outputs across five distinct cyber peril categories:
- Data breach
- Denial of service interruption
- Ransomware, which is a combination of the event, paying or not paying the ransom, and then, of course, the corresponding interruption.
- Misappropriation of intellectual property, and trade secrets, and SWIFT banking fraud, which all the talk about the Chinese and intellectual property falls into that category.
- Cyber physical. So that's where a cyber event would cause either property damage or human casualty of some type.
The tool is meant to put all of the information needed in one location to allow individual users to make an informed risk decision based on that information (without advising one way or the other).
Rettas commented that there’s very little consistency with cyber security metrics. So, he asked, “Do you recommend a way to organize this vast array of data that we have in cyber security as it's related to cyber economics and risk management?”
Vescio said, “I think the best way to start organizing data, and it's just my opinion, and I like it because it's an open enumeration structure, is VERIS. Anybody can go to VERIScommunity.net and look at the ... open the enumeration structure. But I think first and foremost, if you start with a public ... Well, I should say either a publicly available or accepted enumeration structure or taxonomy, then that's a great starting place.”
A lot of the mistakes that organizations make is they want to reinvent the wheel said Vescio. And so they try to come up with a taxonomy or an enumeration structure that's specific to the organization, but then as they start to blend with, say, third parties or regulators, then there starts to become a lot of confusion of which terms mean different things. “And that just creates a more cumbersome environment which, I think, gets into some of your earlier segments about that convergence, the ability of having those convergent models. If everyone's on a different taxonomy, getting to the place of convergence is going to be really, really difficult.”
The Value of Cyber Insurance To The Marketplace
Clearly organizations are experiencing very large cyber incident damages. As you look across the board, there was TNT which is now FedEx, Maersk, Equifax, etc. The idea there is that as those cyber damages are being realized, if they have the proper cyber insurance policy, they can offset those damages with that policy. “And I think that's good for the executives. I think that's good for the board. And ultimately I think that's good for the shareholder at the end of the day,” Vescio said.
Rettas asked, “So if you're a brand new CISO or a CRO of an organization, what do you think you should emphasize in your first board meeting considering that we're talking about how we prioritize risk, how we manage and measure risk, and especially if you're the CISO, or I should say, a CSO? So if you're in the security business, what do you think you should be saying, and how should you say it?” Vescio offered this advice:
- Go into the board with as much information collected as possible up to that board meeting. Even if preliminary, show what damages would be (somewhere between X and Y) if we were to have some sort of event (data breach, ransomware, etc.).
- Explain what expected loss would be on an annual basis due to a variety of cyber incidents that are guaranteed to take place.
- Level-set on that story from the very first board meeting, so you can talk about the things you’re going to play against those two distinct values.
- Either you're tuning your understanding, or you're transferring data insurance, or you're remediating which is improving that annual expected loss on an ongoing basis, but start with the financials.
At the end of the day, it’s impossible to eliminate risk. So, being able to explain that damage on day one, and tuning your understanding of that damage on an ongoing basis, “I think makes you look like a really, really informed CISO,” Vescio said.
Rettas closed out the episode by asking Vescio about future predictions: “As we're marching into the future here, what kind of cyber perils do you see as the most concerning for executives and boards and shareholders too, who I think really never think about cyber security?”
“Probably the two most important areas in cyber peril moving forward in terms of damages is interruption-based events and misappropriation of intellectual property,” Vescio closed.
See Related Event, “Cyber Security Digital Summit – Spring 2019”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.