Measures and methods widely used in the financial services industry to value and quantify risk could be used by organizations to better quantify cyber risks, according to a new framework and report unveiled at the World Economic Forum annual meeting.
The framework, called “cyber value-at-risk” requires companies to understand key cyber risks and the dependencies between them. It will also help them establish how much of their value they could protect if they were victims of a data breach and for how long they can ensure their cyber protection.
The purpose of the cyber value-at-risk approach is to help organizations make better decisions about investments in cyber security, develop comprehensive risk management strategies and help stimulate the development of global risk transfer markets.
Among the key questions addressed by the cyber value-at-risk model concept are: how vulnerable are organizations to cyberthreats? how valuable are the key assets at stake? and, who might be targeting them?
The proposed framework is part of a new report, Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats, that was created in collaboration with Deloitte and the input of 50 leading organizations around the world.
As the report states:
One potential option, it suggests, is to link corporate enterprise risk management models to perspectives and methods for valuing and quantifying “probability of loss” common to capital adequacy assessment exercises in the financial services industry, such as Solvency II, Basel III, albeit customized to recognize cyber resilience as a distinct phenomenon.
The report points out that the goal is not to provide a single model for quantifying risk. Indeed for cyber resilience assurance to be effective, it says participants need to make a concerted effort to develop and validate a shared, standardized cyber threat quantification framework that incorporates diverse but overlapping approaches to modeling cyber risk:
Leave a Reply