What Security Professionals Must Understand About Comprehensive Cyber-Risk
Risk aggregation is not a novel idea. For example, the insurance business has long studied how common assets and similarities between organizations in their books store potential risk. Risk aggregation is the process of bringing together compounding risks to understand the overall risk to a company, a region, an industry, and other entities. For example, if a storm strikes a given region, the potential property damage may result in a slew of insurance claims; this is referred to as an aggregate risk.
Insurance companies must evaluate the implications of aggregate risk as well as the risks compounding to create a single, catastrophic occurrence affecting a large number of policyholders. Consider this: if an insurer decides to sell home insurance to everyone in a city, and then a hurricane destroys every house in that city, there will be large numbers of claims.
We haven’t seen anything like this in cyberspace yet, but the fear is that a single large cyber catastrophe could set off an uncontrollable sequence of technological events that will be disastrous for businesses and economies around the world. And, as fraudsters become more daring, the possibility of compounding cyber-risk factors becomes a greater issue.
However, aggregate risk behaves differently in cyberspace. Houses in the path of a cyclone cannot be moved to a different site to avoid damage during a hurricane. However, organisations can put in place certain security policies to assist prevent a disaster during a cyber incident. There are various approaches to decrease aggregate risk — and potentially avoid a disaster — in cyber, whether it’s establishing defensive measures against global denial-of-service attacks, patching the most severe vulnerability, or migrating apps to multi-cloud or regional clouds.
When it comes to overall cyber risk, security professionals should avoid clickbait headlines. In order to proactively secure their organisations, they must comprehend two concepts: One, cyber-risk is continuously changing, and two, aggregate cyber-risk does not have to become catastrophic when informed by data-driven insights.
Cyber-Risk Is Dynamic and Volatile, But So Is Technology
Cyber risk is ever-changing since new vulnerabilities emerge on a daily basis, making it especially difficult to foresee how risk will change. As an example: According to the Coalition, the total number of Common Vulnerabilities and Exposures (CVEs) will increase by 13% between 2022 and 2023. This figure is expected to rise year after year as more researchers enter the field and new technology is released.
The growing number of CVEs, however, should not terrify security professionals into believing that all hope is lost. There is still a limit to how many organizations attackers may target and how many flaws they can exploit. The evolving risk landscape’s dynamics parallel mitigation: Speeds of detection are also growing, and software updates and patches are being distributed more often to address newly discovered flaws. Essentially, we are becoming smarter alongside our adversaries.
Instead, the sector would benefit from thinking about risk aggregation at a more personal, granular level: Address the most severe risk areas unique to your organization or industry first, as they are frequently the sites of the most pain.
To make risk a broader C-suite conversation, security professionals may need to rethink how they traditionally discuss risk. For example, conveying risk in terms of dollar signs rather than vulnerability severity scores can assist a CFO in determining how much insurance coverage to obtain.
A Data-Driven Approach to Modeling Cyber-Risk
Given the necessary data and technical skills, cybersecurity is manageable and can be adequately covered. Surprisingly, there is more data on cyber risk than any other risk in the globe. Using this vast amount of data to our advantage can significantly reduce the impact of aggregate cyber risk on organizations.
We discovered that a cyber incident with a one-in-250-year probability might cost more than $370 million in losses in a Coalition simulation modeled on a sample of 5,000 top-growth US enterprises. A catastrophic cyber incident might cost $30 billion in total losses if extrapolated across the whole US economy.
However, our model revealed that a catastrophic catastrophe is significantly more likely to be localized. We can observe through aggregation technologies and suppliers — the shared technology architecture on which aggregate cyber-risk is constructed — those cyber-risks aren’t as interrelated as you might imagine. Assets are not all housed in the same uniform physical or virtual surroundings.
For example, if a cloud services provider goes down, it is highly unlikely that it will affect the entire market; it is more likely to affect a specific area. While cloud computing providers operate hundreds of thousands of real servers and millions of virtual machines around the world, their architecture and operations are highly segmented, preventing failures in one aspect from affecting others.
It’s Not About Eliminating Risk but Managing It
We can’t prevent a catastrophic cyber incident or know how far risk aggregation can go, especially when there are no previous instances to assist us. Cyber is a dynamic and complex sort of risk, and insurance firms cannot treat it using traditional aggregation procedures.
Understanding cyber risk begins with being at ease with change and employing the appropriate skills and mentality to reduce the unknowns. Even if it is likely to be unpredictable, cyber risk is knowable and quantifiable.
