Risk Management: How Security Can Learn to Do the Math

Risk Management: How Security Can Learn to Do the Math

Risk management is an important element in using data to get ahead of cybersecurity risks before they happen. The costs of protecting an enterprise of any size against cyber attacks continue to rise. Once a business truly understands the consequences of an incident, its leaders must decide how to manage the risk. They can choose to accept, reduce or avoid the risk. But whichever choice they make involves costs of some sort.

Board members and senior executives are acutely aware and educated about the impact of cybercrime. At best, they can ask challenging questions of cybersecurity leaders to quantify the business risk and associated costs. Questions they may ask include:

How do we know if we are investing appropriately or proportionally in cybersecurity?
What is the accurate and realistic perspective on our cyber risk exposure?
What are the risks our third parties pose to our business?
What is the right level of investment needed to protect us?
Are we prioritizing our top risks based on the likelihood of an attack?
What methods and calculations are we using to justify cyber spending?

To answer these questions with confidence using meaningful data, one needs a robust method for risk management and quantification. Effective cyber risk quantification should take the essences of credit, market and operational risk and apply them to a cybersecurity context.

Learn From Financial Risk Management Strategies

Let’s look at some financial risk management and assessment strategies. A technique financial institutions have historically used to assess credit risk are the five “Cs” to mitigate lending risk. These Cs are:

Cash flow (the ability to repay a debt) ..