By Denson Todd, Director of Cyber Risk Services
Vizzini: “He didn’t fall? Inconceivable!”
Inigo Montoya: “You keep using that word. I don’t think it means what you think it means.”
– The Princess Bride
There have been many professional conversations with peers and clients when I have heard the word: “Inconceivable!” “The ‘Inconceivable!’ to the business has been reduced because our firewalls blocked X packets this month. Because we closed X change tickets this month our ‘Inconceivable!’ is lower.” I visualize the line from “The Princess Bride” scrolling above these conversations: “You keep using that word. I don’t think it means what you think it means.”
Why do we keep acting like business risk is solved through technology and operations alone? Why do we think firewall packets blocked and ticket resolved informs business decision making? As cyber risk professionals, like Vizzini, our perception can be overly focused on our understanding of ‘risk’ and we’ll lead with our line whether it fits the conversation or not.
It is absolutely critical as cyber risk professionals that we all understand and use the same language. As such, I wanted to provide a quick primer on the words we use to describe the new world of cyber risk.
What is Applied Cyber Economics? Applied Cyber Economics is the practical practice of quantitative risk measurement and economic principles of probability and cost to real world cyber risk with the desired aim of predicting potential outcomes.
What is Cyber Risk Expected Loss? Within Applied Cyber Economics, Cyber Risk Expected Loss is a combination of cyber risk probability and impact. This value sets a meaningful baseline, regulates attention to the problem, and speaks at all levels within the organization. This value represents operational metrics and risk assessment activities in one value. That value can be used to minimize hype, set priorities, rationalize risk transfer and acceptance, and determine ROI.
What is Cyber Risk Expected Loss Tolerance? Based on financial performance targets (especially margin), what is an organization willing to accept as their annual expected loss value? This is the target expected loss and represent your organizational risk tolerance. Target Cyber Risk Expected Loss and risk tolerance is translated into an organization’s Cyber Risk Expected Loss Tolerance. All metrics and planning should filter through the lens of your Expected Loss Tolerance. The board should ask:
- Does this remediation plan align with our Expected Loss Tolerance?
- Does the ROI on this project exceed our Expected Loss Tolerance?
- Is our current Expected Loss under or over our Expected Loss Tolerance?
What is Cyber Peril? Cyber Peril refers to the inherent exposure to cyber risk as it relates to specific cyber incident or attack patterns. Cyber Peril could include:
- Data Breach
- Business Interruption
- Misappropriation of IP (espionage)
- Cyber-physical (property damage and casualty from cyber)
What is a Risk Transfer Zone? Based on the quantification of Threat, Impact, and Control Effectiveness and the probability of Cyber Peril, a Risk Transfer Zone represents the delineation among risk remediation, risk transfer, and risk acceptance. Understanding the Risk Transfer Zone allows for informed decision making when deciding on whether the Cyber Risk Expected Loss at a particular Cyber Peril probability makes sense to transfer to a third party or cyber insurance policy, implement remediation controls, or accept the risk.
Cyber risk has become a business risk. The conversation must evolve to represent operational security and cyber risk as business risk in economic terms. Paraphrasing Vizzini, let’s not fall “victim to one of the classic blunders – the most famous of which is never get involved in a land war in Asia” but only slightly less well-known is this: “Never go in against a boardroom with security metrics when business risk is on the line!” Let’s not be Vizzini. Let’s be willing to accept when something doesn’t fit and adapt the way we communicate.