Unpredictability of cyber risks

Is it possible to quantify cyber risk using prepared scenarios?

Risk management still holds one old truth - you can never reach zero risk.
In a world of scarce resources, there are always compromises: how much we can invest here and how much there, how much you tolerate the risk and how much we can mitigate or insure.

To answer these questions, it is necessary to quantify the risk - to estimate how likely the outcome will be and what is even more important, what the costs will be; translating complex real situations into financial indicators can enable rational decision-making, all of which is essential for effective risk management.

Organizations understand this paradigm. Businesses, especially those in the area of ​​financial services, are built on the basis of regular risk assessment and comparison. If you are talking to risk managers today, everyone says: "Cyber risk is one of our biggest problems, we have experts who understand our systems and our data and try to protect our organization."

By Patrik Kowacs

This insight first appeared in  Contigen 

AUTHORS

To be able to fully understand and quantify cyber-related risks, we must first understand the technical and non-technical aspects of cyber-attacks.

We think the most common misconception about cyber-related risks and cyber attacks is the perception that these attacks are purely technical - that machines are attacking machines. In practice, attackers rely heavily on people's behavior, policy setting and way of managing society - people who attack people. Even a well-protected server is unlikely to succeed when faced with a sustained effort by the employee to break his protection and subsequent penetration. Often, the security directors end the discussion with the statement: "As for the qualification of cyber-risk, we are like in the dark, we do not have clear data on its possible occurrence, we can not manage it properly because we can not measure it. That's why we do not even know how to invest properly to mitigate it".

It is clear that the identification and quantification of cyber risks differs from the quantification of "financial" risks (such as credit, markets, etc.) and offers some unique challenges - notably the lack of data and speed that future attackers discover new vulnerabilities and invent new ways how to exploit these vulnerabilities. Therefore, in order to be able to fully understand and quantify cyber-related risks, we must first understand the technical and non-technical aspects of the attacks