Cyber risk models are powerful tools in guiding an organization's strategic cyber risk management and decisions through quantification. Before using a cyber risk model, organizations must first determine their use case for quantifying cyber risk and then select the corresponding data to generate the model parameters. In today’s world, data is key to be one step ahead - but what data is it?
To create a cyber risk model, the aim is to identify cyber risk drivers followed by gathering of data to find the strongest correlation between the cause and consequence of a cyber loss. The data aids at translating the correlation between cause and consequence into model parameters, as well as verifying and validating the assumptions made on the risk drivers.
By using high-quality data in the cyber risk model, accurate and reliable predictions can be made on an organization’s current and future cyber risk profile. Thereby, the quality of outputs drawn from these models is dependent on the quality of input data as well as the quality of data used to generate model parameters. By prioritizing high-quality data, organizations can achieve more accurate and meaningful risk quantification results.
What Data Is Typically Needed for Cyber Risk Models?
Cyber risk models require data on the company and the cyber threat to estimate the impact of an incidient on the organization. The data needed for any cyber risk model can be categorized into two components: company input data and cyber threat (model) data. The former establishes the unique susceptibility of the individual company to cyber risks as well as determines how well the company is protecting itself. The company input information thereby strongly determines what can cause a cyber loss. On the other hand, cyber threat data determines the current degree of cyber risk severity and frequency a company is facing from the cyber threat landscape. Within the cyber threat data, the analyzed data of risk drivers and their degree of contribution to the severity and frequency for specific companies come together, resulting in an estimate on the consequence of a cyber loss.
Company Input Data
Company input data needed for a cyber risk model includes the following:
- Exposure data: This data defines what is financially at stake for an individual company in the event of a cyber incident. It includes details on company assets, infrastructure, and business dependencies, helping to assess the organization’s vulnerability to attacks. For instance, how many datasets a company has strongly determines how susceptiple the company is to a data breach. In other words, the more data a company has the more financial risk it faces if a data breach occurs. To what degree this causes a loss, is then determined through cyber threat severity parameters.
- Information Security data: Provides insights on how well a company is protected against cyber threats. This encompasses an Information Security assessment of the company, which can be based on regulatory compliance, information security certifications, and other assessments on individual cybersecurity measures. Typically, an Information Security assessment is based on a standardized Information Security framework, such as NIST or ISO. In general, the more a company is exposed to cyber risks, the higher its Information Security standards need to be. For example, more data makes a company more vulnerable to a cyber incident. Hence, more advanced information security standards are needed to adequately protect the data from being breached.
In terms of cyber, the aim is to identify data that indicates the correlation between company characteristics and its Information Security with the frequency or severity of a cyber incident. Thereby, a cyber indicent can encompass different typs of cyber incidents, such as stolen data, an interrupted business, stolen money or another consequence. Each typ of incident will have its unique risk drivers, which may stem from the company characteristics, as well as regulatory requirements or the cyber threat landscape. Once the correlations have been identified, the derived parameters are used in terms of severity and frequency to estimate potential consequential risk.
Cyber Threat Data
To receive a full view on the cyber risk of an organization, cyber risk models will make use of a simulation, typically a Monte Carlo simulation, to estimate the severity distribution and probability of occurrence of cyber incidents. To do so, cyber threat data on both frequency and severity estimates are needed, based on the current cyber threat landscape.
- Frequency data: This determines how frequently a company can expect to incur a loss due to a cyber incident. Based on recent incident trends and threat intelligence, estimates can be retrieved that will indicate how often companies with a certain exposure profil will be target of a cyber incident. Of course, this estimate will need individual adjustment based on further data on a company’s exposure profil and information security maturity. For instance, companies in certain industries, such as military and critical infrastructure, will currently receive more frequent attacks through political motives than other industries. In other words, certain exposure factors will more likely cause a cyber incident to occur. This being one factor, other contributing factors will increase or decrease the frequency, based on the individual exposure profil of a company.
- Severity data: If an incident does occur, the data on the distribution of losses, the severity, will determine how much a cyber incident will cost. The distribution of losses can be retrieved through historical data on the cyber incident impact. Also here, the final severity of an incident will be based on multiple factors of a company’s exposure. For instance, the number of PII records a company is a strong determinate for the severity a potential data privacy breach will take. More records will cause higher consequential costs, including notification costs, legals costs and other costs.
Challenges in Collecting High-Quality Data
Gathering high-quality data for both company-specific inputs and cyber threat intelligence can be challenging, particularly when one is uncertain about what to look for and where to find it. When building a cyber risk model solely based on internal corporate data, identifying the full scope of potential risk drivers, company characteristics, and other relevant factors can be difficult. This approach may introduce biases and limit the accuracy of the model.
Key challenges include:
- Data Availability – Access to the right data is crucial for estimating the frequency and severity of cyber incidents. However, this often requires more than just internal company data. Organizations must rely on external reports, historical records, public known cases or industry benchmarks. When data is scarce, companies are forced to rely on broad assumptions, which can weaken the accuracy of risk assessments.
- Cognitive Bias – A company’s internal subjective perspective is often more optimistic than an external view. Confidence in operations and security measures may lead to an underestimation of risks. This can result in an assessment that rates severity and frequency of incidents lower than industry benchmarks, introducing bias into the model. Hence, ensuring the completeness and accuracy of data while minimizing subjective bias is a major challenge.
- Tunnel Vision – Focusing solely on internal data can create a narrow perspective on potential cyber threats. Important correlations may be overlooked, and the impact of cyber incidents can be underestimated - especially if they extend beyond the organization’s direct experience. Also, using only own data will limit modelling to what has been experienced only within the company or what is expected, failing to consider unknown risks that may exist in the cyber threat landscape. Without considering the broader cyber risk landscape, key threats and risk drivers may go unnoticed.
- High maintenance – Due to a changing threat landscape and new protection techniques, a model based on own parameters needs a high amount resources. This is essential to constantly translate the changes in correlations between causes and consequences into accurate frequency and severity parameters.
Final Words
In essence, when generating parameters based on own experience and own data, there is a high potential to miss out on unknown risks, introducing a bias and only receiving a snapshot of the entire cyber risk. A well-structured cyber risk model and pre-parametrized model, can help avoid biases and strengthen accurate risk evaluation. Leveraging a broad spectrum of data sources enhances transparency and provides a more comprehensive view of an organization’s cyber risk exposure. However, obtaining and maintaining reliable, high-quality threat intelligence remains a significant challenge.
Making use of pre-parametrized models such as Squalify will solve the challenge of having to obtain data oneself to draw conclusions on cyber threat correlations. Squalify incorporates predefined frequency and severity parameters based on data sources spaning from insurance losses, in-house and outside expertise and expert knowledge. Additionally, rather than relying on subjective estimations for parameters, data is collected through structured interviews from a variety of subject matter experts, ensuring consistency and accuracy.
Ultimately, achieving high-quality cyber risk quantification depends on using accurate, well-structured industry-wide and region overarching data on cyber risk to generate the best cyber threat parameters, that connect cyber risk causes with consequential losses. Organizations looking for reliable outputs should prioritize data-driven approaches, leveraging cyber knowledge and structured methodologies to generate well-informed parameters that contain the best estimates on cyber risk.
