The fundamentals of risk management are based on evaluating consequences and likelihood. For cyber risk, consequences, or Business Impact Values (BIV), are the financial and intangible impacts that could result from a cyber incident. Likelihood is determined by comparing the strength of your cybersecurity, or CsL, to the strength of relative cyber threats, or Cyber Threat Level (CTL). Cyber Risk, then, can be assessed by putting these three Key Risk Indicators (KRI) together on a Cyber Risk Profile. The circles on the Cyber Risk Profile represent value at risk for Key Information Assets (KIA) with colors indicating the significance of the impact to business resilience. The position on the Profile indicates the risk of a successful cyber attack.
How Much Cybersecurity Is Enough?
From a risk management perspective, the answer to this question is “You need enough cybersecurity to mitigate relevant threats that are attacking your value.” By viewing risks associated with Key Information Assets on a Cyber Risk Profile, decision makers can now address the questions:
- “How will a cyber event financially impact our business?”
- “Do we have enough cybersecurity to mitigate anticipated cyber threats?”
- “Where should we invest limited resources to reduce cyber risk?”
The Cyber RiskScope portfolio contains solutions that support the assessment and improvement of each KRI along with solutions to help manage cyber risk during daily operations. Visit our Solutions page for more information.