A Value-at-Risk Model for Cyber?
Yes, It Exists. And Watch Out for Fakes.
by Nick Sanna, CEO, RiskLens
From the $81 million sucked out of the central bank of Bangladesh in 2016 as a fraudulent funds transfer through the interbank SWIFT system, to the daily attempts to penetrate consumer-facing applications on bank websites with stolen user credentials, the banking industry knows that cyber-attacks pose a real risk, and cost, of doing business.
But while banks pay strict attention to value-at-risk (VaR) models to meet capital requirements for credit, operational and market risk, that level of discipline doesn’t often extend to the information security department. The conventional wisdom has been: You can’t quantify cyber risk in financial terms because it’s too complicated, too unpredictable, and we don’t have enough data to work with.
Without an estimate of the value at risk in cyber-attacks though, financial institutions or any type of organization can’t plan proportionate investments in cybersecurity or make informed purchases of cyber insurance. They also can’t meet the rising expectations of regulators that require cyber risk to be reported in financial terms: See the recent regulations and guidance documents from the New York Department of Financial Services and the U.S. Securities and Exchange Commission, and the proposed model for cyber risk analytics from the IMF.
Information security risk officers have come up with some clever workarounds. For the longest time, they have resorted to reporting on risk using vague, non-quantified output, often in the form of stoplight charts that show red, yellow, and green risk levels. Estimates about the probability of loss events and their impact were compiled using incomplete and flawed models, partial information and riddled with unfounded assumptions.
More recently, many financial services organizations have focused on maturity models — the more boxes you can check on a list of best practices, such as the National Institute of Standards Cybersecurity Framework (NIST CSF) and the better score you achieve on a scale 1–5, the less risk you can assume you have. You still don’t have an idea of whether you have more value-at-risk from a fake funds transfer or a user credentials spoof — but you are more “mature,”
Enter the marketers. In the past year, security software vendors have repackaged the maturity concept as “cyber risk exposure.” Combining an organization maturity score with scans for vulnerabilities, i.e. unpatched software, and evidence of threat activity, they put a number on your assumed level of risk, and call it risk quantification. Another approach now on the market: A black-box model that translates a scorecard into dollar figures of implied risk. These are steps that seemingly move in the right direction but fail to deliver what the market really needs — true cyber risk quantification. As a result, forward-thinking bank management just isn’t buying these watered down approaches that fail to enable cost-effective decision making.
But there is hope. In the financial services industry, VaR modeling is a statistical methodology used to quantify the level of financial risk within a firm or investment portfolio over a specific time frame. Value-at-risk is measured in three variables:
- The amount of potential loss
- The probability of that amount of loss
- The time frame
New cyber VaR models have now emerged using probabilities to estimate likely losses from cyber threats during a given timeframe. A growing number of banks have adopted the Factor Analysis of Information Risk (FAIR) model for cyber value at risk developed by Jack Jones, a former chief information security officer at Huntington Bank. FAIR is an international standard maintained by the Open Group — far from a black box, its workings are documented for all to see. More than 3,500 risk management professionals belong to the FAIR Institute, the non-profit expert organization that promotes education on FAIR and sharing of best practices. FAIR is estimated to be in use at about 30% of the Fortune 100, including several of the largest banks in the world.
Cyber risk assessments performed with the FAIR standard allows risk analysts to make defined measurements of risk, be transparent about assumptions, inputs and outcomes, and show specific loss probabilities in financial terms (dollars and cents). Because much of FAIR assessments are defined in business and financial terms, executives, line of business managers, and other stakeholders can learn to speak the same language and participate in the decision-making related to cyber investments and define how much tolerance they have for certain forms of risk.
What is more useful in decision making? Knowing that you score a yellow, a 3.5, or knowing that there is a 10% probability that your bank can incur a loss of $95 million in the next 12 months due to fraudulent wire transfers? Knowing that 10 risk scenarios are marked as red, or understanding the probable amount of financial losses for each?
True cyber risk quantification enables a whole new class of decision-making. Now organizations can not only understand the financial impact of their top cyber risks. They can iterate those analyses and understand the effectiveness of security investments in terms of their capability to reduce financial losses, prioritize them, and determine the right amount of spending.
This quantitative approach can reveal some counter-intuitive surprises. As mentioned earlier, the customer credentials scam impact may be far lower than the fraudulent SWIFT transfer in terms of a single incident. However, the high frequency of the credentials scam may be costlier on an annual basis than the very low frequency SWIFT scam that requires a very high level of sophistication to pull off.
While the conventional wisdom may still claim that cyber risk quantification can’t be done, that’s not the direction that banking regulators are heading. The New York State Department of Financial Services (NYDFS) and SEC’s latest cybersecurity directives demand periodic risk assessments based on clear criteria for evaluating cybersecurity risks and existing controls. Their message to banks and other financial institutions is clear: Follow a standard cyber value-at-risk model and report cyber risk in financial terms or you’ll hear from us.
Nicola (Nick) Sanna is the CEO of RiskLens. He is a regular lecturer at universities across the US on the subject of social entrepreneurship and is an advisory board member of the business school at CUA.