By Lawrence A. Gordon
Cyber risk is a critical concern to corporate executives, government agencies and politicians in today’s digital world of interconnected information systems.
Indeed, studies indicate that cyber risk is the, or one of, the top risk factors confronting contemporary organizations. The recent CrowdStrike software glitch is a good example of how cyber risk can impact the world’s interconnected information systems.
The above notwithstanding, it is well known that 100% cybersecurity is neither technically possible nor economically desirable. Since cyber risk can’t be eliminated, the question that must be answered is: Can cyber risk at least be managed in a cost-effective manner? The answer is an emphatic yes! Managing an organization’s cyber risk is best thought of as a process that involves the following set of iterative steps.
Step 1: Identify the sources of cyber risk. These sources can be broken down into various categories. More specifically, there are internal and external threats, as well as potential vulnerabilities that are the basis for cyber risk. Identifying these threats and vulnerabilities is not only a logical place to start the process of managing an organization’s cyber risk, it also will help to frame an approach for addressing an organization’s cyber risk.
Step 2: Estimate the likelihood (i.e., probability) that your organization will experience a cyber breach. Of course, any single point estimate of the probability of a cyber breach is just that—an estimate of one possibility from a probability distribution. Thus, rather than estimating a single probability, a range of probabilities could be considered.
Step 3: Estimate the maximum cost to an organization if a cyber breach occurs. Here again, a point estimate of the maximum cost resulting from a cyber-attack is just that—an estimate of one possible cost. Thus, rather than estimating a single cost, a range of costs could be considered.
Step 4: Compute the expected loss to the organization if a cyber breach occurs. This step involves multiplying the probability of a cyber breach (derived from Step 2) by the estimate of the maximum cost to the organization resulting from a cyber breach (derived from Step 3). Where a range of probabilities of potential cyber breaches is considered, and a range of potential costs associated with a cyber incident are estimated, a simulation around these numbers could be conducted to derive a more accurate estimate of the expected loss.
Step 5: Ask the following question. How much should our organization invest in additional cybersecurity-related activities to reduce the probability (or range of probabilities) of a cyber breach within our organization? This step entails comparing the additional benefits derived from reducing the expected loss from a cyber incident to the additional costs incurred due to an increased investment in cybersecurity. In other words, a cost-benefit analysis of the appropriate amount to invest in cybersecurity-related activities needs to be conducted.
This step results in reducing an organization’s cyber risk at a cost. Alternatively, organizations can transfer some of their cyber risk at a cost (e.g., via cybersecurity insurance). Either way, the appropriate amount to spend on reducing and-or transferring cyber risk needs to be viewed from a cost-benefit perspective. A cost-benefit framework for accomplishing steps two through five is provided by the Gordon-Loeb (GL) Model for cybersecurity investments. Grounded in mathematics, but easy to apply, the GL Model provides a rational economic framework for deriving the optimal amount an organization should invest in cybersecurity. The model also lends itself to deriving the optimal amount to spend on transferring cyber risk.
Step 6: Have a recovery plan in place prior to experiencing a cyber incident. Since 100% cybersecurity is neither technically possibly nor economically desirable, organizations need to be prepared to respond to a cyber breach before experiencing such a breach. Two key ingredients to a successful recovery plan are flexibility and speed of response time.
Step 7: Conduct a review of how well your organization’s process of managing cyber risk is working. If your organization experienced a cyber incident, it is important to fully understand how the cyber incident occurred, the damage caused, and the pros and cons of the response to the incident. Whether a cyber incident occurred or not, it is important to assess alternative ways the organization could improve its process of managing cyber risk. Most importantly, the review needs to be used as a learning tool for the next cycle of managing cyber risk.
The above steps are best thought of as a feedback process whereby past events are used to inform future estimates of the probability of potential cyber-attacks, the costs of such attacks, and the appropriate level of investment in cybersecurity. Senior management and boards of directors (where appropriate) need to be integral to this feedback process, especially from an oversight perspective. Furthermore, those responsible for implementing the process need to know that such oversight is clearly taking place.
In sum, there is no way to achieve 100% cybersecurity in an interconnected digital environment, and that means cyber risk can never be fully eliminated. Even if 100% cybersecurity were achievable, from a cost-benefit perspective it would rarely, if ever, be justified. This will be true even 100 years from now, regardless of the advances in such technologies as AI. However, not being able to eliminate cyber risk doesn’t mean an organization can’t manage its cyber risk in a cost-effective manner.
Although not a panacea, the process of managing cyber risk discussed above, combined with effective oversight of the entire process, provides a cost-benefit framework for managing cyber risk. Of course, the specifics associated with each step in the process will vary depending on a variety of organizational-specific factors.
Lawrence A. Gordon is the EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland (College Park) and co-author of the Gordon-Loeb Model for cybersecurity investments, which provides an economic framework for deriving the optimal amount to invest in cybersecurity.