Take the Plunge

by Bret Bergman
Contributing Editor

Take the plunge, it’s worth it…the real value in quantifying cyber risk.

Most industrial clients understand the need to be risk-based in their approaches to cybersecurity.  For many of them, they have already been through this journey with physical security. I’ve seen HIRAs (Hazard Identification & Risk Assessment) evolve to quantify the risk of physical operating and maintenance activities by applying a “RISK = Probability of Impact x Severity of Impact” formula and assigning a score. These scores are then aggregated to provide a clear quantified assessment of the risk inherent in a given operating environment.

I’m sure readers of this blog recognize this as just a slightly modified version to the FAIR model for quantifying cyber risk that calculates RISK as being equal to “Cyber Loss Event Frequency x Cyber Event Loss Magnitude.”   I’m in the process of helping several clients quantify cyber risk for the first time.  Inevitably, one of the pushbacks is that we’ll never get executives to agree on the numbers we assign to risk. Granted, it’s not easy, but the real value is in the journey. 

In the recent Dark Reading article,  “Quantifying Cyber Risk: Why You Must & Where to Start – Quantifying cybersecurity risks can be a critical step in understanding those risks and getting executive support to address them” by Curtis Franklin, the point is made that having a risk framework makes it much easier to have the discussion and enlist executives’ support for the initiatives required to address that risk.

I encourage everyone to read the article and then have the courage to start quantifying cyber risk.  It’s hard, but it’s not the number that matters, it’s the discussion you have on the way to getting there…sometimes the juice is indeed worth the squeeze.