Cyber Risk Quantification to Improve Security Effectiveness

Getting budget for cybersecurity tools is one of the most significant challenges many CISOs face. Adding defenses is difficult at best when many other senior leaders view cybersecurity as a cost center and checkbox exercise. If they’ve never experienced a cyber attack, it’s easy for financial leaders and others to say that basic security like multi-factor authentication and firewalls are good enough. They question why it’s worth spending money to invest in a new tool, especially when it’s difficult to view cyber defense as anything but a cost center. 

The practice of cyber risk quantification can help make this argument. Cyber risk quantification uses traditional risk modeling techniques to add dollar amounts to the risk of a cyberattack. Adding dollar amounts to the risk of a cyberattack empowers CISOs to shift the discussion into a language that financial leaders are experienced in. 

Translating cyber risks into financial terms includes discussing the knock-on impacts of a cyber attack outside of the immediate recovery cost. This includes lost revenue, lost reputation, and lost staff time from interrupting daily work. Direct recovery costs from a cybersecurity incident were $4.45 million in 2023, according to IBM, and could potentially go higher this year. While this direct cost is not minuscule, ancillary costs can be substantially higher. 

The reality of driving cybersecurity investment to improve overall defensive posture means that security leaders need to speak the language of return on investment (ROI) and cost savings. CFOs and other financial leaders think more concretely in these terms as opposed to defending against theoretical cyberattacks. 

Prove ROI with Cyber Risk Quantification

Determining return on investment is complicated with cybersecurity technology. Tools designed to defend against attack don’t often come with easy ways to show they drive more revenue. Quantifying cyber risks solves this challenge. One of the most efficient ways to do this is through using lookalike attacks. A hospital with 2,000 beds, for example, could examine the consequences of a cyber attack on a hospital of a similar size for insight into potential risk in the same situation.

One of the most efficient calculations is to take annual revenue and divide it by 365 to get the average daily revenue. That daily number is then what the organization could potentially lose if systems went down in case of a ransomware attack. One of the most effective lookalikes for this exercise is the Colonial Pipeline attack of 2021. Colonial ended up not being able to conduct regular business operations for some time after the attack. Although the ransom itself cost $4.43 million, the lost revenue during that time based on annual numbers of an estimated $500 million was even higher.

Cybersecurity leaders looking for ways to shift the discussion of defensive solutions from a cost center to one of revenue generation or revenue protection would do well to use examples like Colonial and even Merck’s experience from its 2017 NotPetya attack. Merck’s recovery ended up costing around $300 million when it was all over and the company was able to resume normal business operations. 

Quantifying what a potential cybersecurity incident could look like from a lost revenue perspective can empower cybersecurity leaders to make that revenue protection argument more concretely. This then shifts the budget conversation for additional investment into risk mitigation territory, which is something that financial professionals are more comfortable with. It’s no guarantee that further investment will get approved, but this shift at least provides a way for cybersecurity leaders to talk to business leaders with a shared vocabulary. 

Cyber Risk Quantification Could Shift Organizational Culture

Financial leaders often struggle with funding new cyber defenses because their primary goals are saving money or growing revenue. They view cybersecurity tooling through the lens of spending, which needs to be limited on a business that may only have a 2% to 3% margin. From that perspective, there needs to be a better way to communicate the value of investing in new defensive technology. 

There’s often a “Goldilocks” zone of sorts with regard to cybersecurity investment. Not every tool should necessarily be deployed, or else there isn’t necessarily any improvement in defense. Quantifying cyber risk can help ensure that the right tools are chosen for real improvements in defense. This can also ensure that security teams help the CFO understand how deploying certain cyber tools can reduce the risk of an attack occurring. 

Ultimately, the goal is to preserve revenue and ensure the company is more resilient. Convincing the CFO of the financial wisdom of making this investment is where the challenge lies. 

Make the Most Cost-Effective Security Choices

Cost-effective security practice has a few key steps. First, security teams need to understand the full scope of their network-accessible assets. This includes integrating an asset discovery system, such as the one in the Asimily platform, to build a full inventory of their internet-facing assets. This empowers organizations to create a baseline for understanding the full scope of their potential attack surface. It’s especially important given the increase in shadow IT and shadow Internet of Things (IoT) devices, which are software and hardware deployed outside the knowledge of the IT and security teams. Asset discovery solutions ensure that security professionals get the full scope of what they’re trying to protect.

Next, organizations need to understand the vulnerabilities of their discovered devices. Knowing which vulnerabilities exist in the network-accessible architecture, as well as their relative severity, enables IT and security teams to prioritize the patches to deploy first. As part of this, organizations need to understand things like device type, capabilities, traffic flow within the corporate network, and any mitigations already deployed. A vulnerability on a device that’s segmented away from the rest of the network may not have the same impact on business operations as something that’s on a flat, highly connected network. 

If security teams can identify the riskiest assets, they can reduce the risk of a cyber attack succeeding. This saves money in the long run should an attacker ever target the organization for any reason. Given that there’s no telling when an attack will occur, this is also a cost-effective way to protect critical systems without spending too much budget. 

Lastly, streamlining data capture to ensure that forensic data is available for the next incident under investigation can result in cost savings. By making data capture centrally available for any device on a network – IoT/ IIoT/ OT or IT – the expensive front-end recording of anomaly network traffic can be reduced significantly. 

Final Thoughts

Cybersecurity teams need to shift the perception of their function from a cost center to one of revenue protection or even growth. Many products, like Asimily, have reports built with boards in mind, to help show regular improvements even when there isn’t a breach on the agenda. The process of quantifying cyber risks can help make this argument, enabling cybersecurity teams to easily communicate the business value of more investment in defensive tools. This will become more necessary in the future, especially as the cybersecurity landscape becomes far more complicated. Ultimately, security teams need to work with the financial team to get a budget and improve their defenses in the most cost-effective way possible. 

Want to learn more about Asimily? Download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.