The Size and Shape of Cyber Risk – Part 2
In the first part of this series we explored the composition of “risk”: 1) the probability of a certain event, and 2) an estimation of that event’s potential impact. This piece will dig a little bit into the relationship between risk pricing and risk appetite.
There is a growing body of data that is used to define and quantify cyber risk. This data appears in academic formats through studies like Verizon’s DBIR and Ponemon’s Cost of a Data Breach study. These studies focus on the “all-in” costs of a data breach including forensics, legal expenses, and other repairs. Each of these data points is by definition the cost of risk – the occurrence of the “event” and the realization of its impact.
We also find valuation data baked into pricing for the products and services that strive to reduce cyber risk – technologies, services, and insurance. We can assume that these prices reflect the market’s consensus about the value provided by any given product or service. Put another way, this is an aggregate view of buyers’ cyber risk appetite – the price they’re willing to pay to (hopefully) reduce cyber risk to what they collectively regard as an acceptable level.
Spending to reduce cyber risk can be sorted into two big buckets: optimization and transfer. Risk optimization can be thought of as all the variables – people, process and technology – that can be directly manipulated by managers. Risk transfer is simply insurance. Risk that cannot be reduced through optimization is transferred to an insurer. We can summarize both types of spending as “things that help CEOs and boards sleep at night.”
When we look at the aftermath of a breach, costs take a turn for the worse. Now, spending is directed toward forensics, fines, legal costs, repairs and reconstruction. Nobody is sleeping well anymore, and when the dust settles the question will be “how much would it have cost to prevent this?”
The cost of achieving comfort can be thought of as management’s risk appetite. It follows that risk appetite is a powerful determining factor in the prices set by companies who provide risk mitigation solutions. Thus, solution providers gain pricing power when the risk is perceived as particularly large or intractable. Simply put, prices rise when the purchaser is motivated by fear.
Fear is borne of uncertainty. Managers often assume that cybersecurity is a technology problem, and that increased spending on tactical point solutions will reduce risk. Vendors are all too happy to oblige. The same goes with cyber insurance – theoretically a backstop against the risk that remains after technology has been fully implemented.
This mode of thinking is based on two flawed assumptions. First, that the technology can take the place of smart people. And second, that the insurance truly captures residual risk that isn’t mitigated by technology.
Historically speaking, technology implementations require a complementary 10x investment in process, policy, and workforce integration. The technology – firewalls, intrusion detection, log analysis, etc. ¬– all works very well. But unless a workforce is guided by a cohesive policy and governance structure built on top of a cybersecurity strategy, the technology will only go so far. It’s often said that the “human element” is the biggest component of cyber risk. This is true, and can only be addressed through a concerted effort focused on training, testing, procedure, policy, compliance and assurance.
When addressing cyber risk, managers and boards should optimize cybersecurity spending to provide maximum risk reduction at minimum cost. Technology is important – it should be chosen based on its ability to best address a firm’s specific risk environment. The risk environment is defined by the people and processes that, in turn, define the way a company operates. Therefore, technology spending should take a specific focus on integration, training, process and policy that aligns with the risks presented by the operating environment.
With an approach like this, management is in a very strong position when it comes time to insure against any residual risk. For starters, the process of technology implementation and process integration results in a detailed understanding of the company’s risk profile. Creating an observable, repeatable, and adaptive understanding of risk means that corporate leaders can easily convey their needs to insurers. And in turn, insurers can more easily understand and underwrite a company’s risk profile.
What may be perceived as a complex topic can be summarized quite simply. Cyber risk is a function of the way a company operates, which is simply the intersection of people and the processes they use on a daily basis. Managers who seek comfort about the secure nature of those processes should invest heavily not in technology, but in workforce development. The price of cyber risk can be thought of as the cost of building an effective “human firewall” that understands and adapts to acute risks in a reflexive manner. In the process, management’s risk appetite will align more closely with the decision criteria around how to handle cyber risks.