Enterprise Risk Management and Cybersecurity
Enterprise risk management (ERM) is the process of identifying, assessing, and managing an organization’s risks. It includes the identification of events that could negatively impact the organization and its strategic objectives, and the response to those events.
ERM is a systematic and disciplined process for identifying, assessing, and managing risks to an organization’s objectives. The goal of ERM is to protect the organization’s capital, its ability to execute its strategy, and its long-term viability. ERM typically involves the identification of risk events (e.g., natural disasters, financial crises), the assessment of how likely these events are to occur and their potential impact on the organization, and the implementation of risk mitigation strategies.
Risks can come from a variety of sources, including Strengths Weaknesses Opportunities Threats analysis (SWOT analysis), as well as from external sources such as suppliers, customers, business partners, financial markets, governments, and other stakeholders. While some risks are specific to particular businesses or industries, others are inevitably inherent in carrying out any activities, like cyber risks.
There is no single blueprint for managing enterprise risks; each organization must tailor its approach based on its unique circumstances.
An enterprise risk management (ERM) framework should provide a comprehensive view of all risks an organization faces, including those related to cybersecurity. A cyber incident could result in reputational damage, financial losses, competitive disadvantages, or operational disruptions. The potential impact of a cyber incident is often magnified by the increased inter-connectivity of people and organizations and the reliance on technology.
In order to manage cyber risk effectively, organizations need to have a clear understanding of their vulnerabilities and the threats they face. They also need to put in place robust processes and controls to detect, prevent, and respond to attempted or successful attacks. The goal of an ERM framework is to help organizations take the right measures, balancing security, budget and risk appetite. Risk appetite is the amount of risk an individual is willing to take when making investment decisions. For example, an investor with a high risk appetite might be willing to invest in stocks that have a higher potential for return, but also have a higher potential for loss. An investor with a low risk appetite might be more likely to invest in safer, less volatile securities such as bonds or money market funds.
In the context of finance and investment, risk appetite is the amount of risk that an investor or fund is willing to take on. It’s usually measured by how much money an investor is willing to lose on a single investment. Your risk appetite is how much risk you’re willing to take on in order to achieve your desired level of reward. So, for example, if you’re looking to make a lot of money quickly, you’ll likely have a higher risk appetite than someone who’s looking to preserve their capital and generate steady returns over time.
In the context of cyber security, risk appetite is basically your organization’s willingness to take on risk in order to achieve its objectives. This can include things like accepting a higher level of vulnerability in order to speed up time-to-market, or being more aggressive in pursuing new opportunities. Someone with a high risk appetite might be more likely to accept less-than-perfect security measures in order to get their business up and running quickly. While someone with a low risk appetite might want to take extra precautions.
Your risk appetite will dictate how much protection you’re willing to put in place to guard against data breaches, system failures, and other online threats.
Building a Cyber Resilient Business: The cyber handbook for non-cyber executives
Building a Cyber Resilient Business: The cyber handbook for non-cyber executives [Magda Chelly, Shamane Tan, Hai Tran]…
Is it difficult to calculate risk appetite in cybersecurity?
There is no one-size-fits-all answer to this question. Every organization’s risk appetite for cybersecurity will be different, depending on factors such as the industry they are in, the size of their organization, and the type of data they store.
However, there are a few key things that organizations should take into account when calculating their risk appetite for cybersecurity. One important factor is how much money an organization is willing to lose if their data is stolen or compromised. Another factor is how much damage an attack could cause to the reputation of the organization. And finally, organizations should also consider the likelihood of an attack happening, and what measures they have in place to reduce that risk.
So, how can an organization estimate their financial losses following a cyber attack or a system failure?
Evaluating the financial losses following a cyber attack can be tricky. Estimates can vary based on the type and severity of the attack, as well as how prepared the organization was in terms of cyber security. For example, if an attacker manages to breach a company’s systems and encrypt all of their data, the ransom demand could be in the millions. However, if that same organization had proper backups and disaster recovery plans in place, they would only be looking at a fraction of that cost.
There are numerous factors to consider when estimating financial losses from a cyber attack. The most important factor is often the type of attack that was carried out.
One way is to use historic data to calculate the average cost of a data breach. A second way is to use industry averages for the costs of various types of cyber attacks. And a third way is to use risk assessment tools to help identify which systems and data are most at risk if they were to be attacked.
Each of these methods has its own advantages and disadvantages, so it’s important to choose the one that best fits the needs of the organization.
In addition, it’s also important to keep in mind that these estimates are just that — estimates — and that the actual costs may be higher or lower than what is predicted.
The Ponemon Institute’s 2017 Cost of Data Breach Study found that the global average cost of a data breach is $3.62 million. This number can vary greatly depending on the size of the organization, the type of data that was compromised, how the breach was discovered and how it was addressed. For example, if the data breach is not detected for a long time, it will be more expensive to remediate because the company will have to address a larger number of compromised records.
Organizations need to take into account both their direct costs (e.g., forensic investigations, notification costs, credit monitoring for customers) and indirect costs (e.g., loss of business, impact on stock prices). This is where quantification is a good starting point.
Quantification in risk is the process of measuring and assessing risk. In the context of cyber security, quantifying risk means estimating the likelihood and severity of potential cyber attacks. This information can be used to make informed decisions about how best to protect your organization’s data and systems.
Cyber risk quantification provides numerous benefits for businesses, including the ability to better assess and manage cyber risks, identify cost-effective cybersecurity controls, and allocate resources more effectively. By understanding the potential impact of various cyber attacks, businesses can make informed decisions about which risks to take on and how to best protect themselves against them. Additionally, cyber risk quantification can help organizations prioritize their cybersecurity investments based on the identified risks. This ultimately leads to a more strong and effective cybersecurity posture.
There are a variety of methods that businesses can use to quantify cyber risk. One popular method is quantitative assessment, which relies on statistical data and modeling techniques to identify potential threats and quantify their impacts. Quantitative assessment is the process of measuring something to obtain a numerical result. In cyber security, quantitative assessment is used to measure the effectiveness of security controls and to identify areas where improvements can be made. There are two main types of quantitative assessment: performance measurement and vulnerability assessment. Performance measurement assesses how well a security control is functioning and how it compares to other controls. It can be used to identify which controls are most effective and which need improvement. Vulnerability assessment assesses the susceptibility of systems, networks, or devices to potential threats. It can be used to identify areas where security needs to be improved.
The goal of quantitative assessment is to obtain accurate and objective data that can be used to make the decisions about cyber risk.
When it comes to quantitative assessment, the FAIR framework is a great place to start. This framework provides a structure for thinking about and quantifying risk in order to make informed decisions. The FAIR framework stands for Factor Analysis of Information Risk. It has been adopted for use by organizations around the world.
At its core, the FAIR framework helps you answer three key questions:
1. What could happen? (threat scenarios)
2. How likely is it to happen? (probability)
3. What would be the impact if it did happen? (severity)
The FAIR framework provides a systematic way to think about cyber security and helps ensure that all assets are accounted for and that countermeasures are implemented in a consistent manner.
In conclusion, quantification is a powerful tool, empowering CISOs with the right data to help shareholders make the right decisions. Qualitative methods are subjective and do not allow this process efficiently. You can start first, identifying your assets. What do you want to protect? Second, you need to asses the risk to each asset. How likely is it that each asset will be compromised and what are the potential consequences if it is? Third, you need to implement appropriate countermeasures. What can you do to reduce the risk to each asset? Fourth, you need to repeat this process on a regular basis. Keep track of changes in your environment and revise your risk assessment as necessary.
However, there is no single silver bullet for mitigating cyber risk, but a variety of strategies can be used to reduce your vulnerability to attacks no matter of the risk appetite and risk assessment. These include:
- Implementing strong security controls, such as firewalls, intrusion detection/prevention systems, and anti-virus software and considering cybersecurity failures
- Conducting regular vulnerability assessments and penetration tests, and fixing your exploitable vulnerabilities
- Training employees on safe online practices
- Establishing policies and procedures for responding to incidents, as 100% security does not exist
By Magda Chelly
Chief Security Officer | TEDx Talk | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)
Find out on magda-on-cyber.com
- The IFSEC Global influencers in security and fire 2021
- Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/
Follow Magda on her Social Media Accounts: