The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new cybersecurity effort to develop actionable metrics and quantify cyber risk across the nation’s critical infrastructure sectors.
The Systemic Cyber Risk Reduction Venture is being developed in partnership with the National Risk Management Center (NRMC) and will focus on the relationship between threat, vulnerability, and consequence, with a particular emphasis on identifying and quantifying systemic and interconnected risks.
“What we’re doing is organizing a lot of our work to better understand sources of exposure, vulnerabilities, and how adversaries may exploit those vulnerabilities for the purpose of trying to undermine the functioning of infrastructure,” said Bob Kolasky, CISA Assistant Director for the National Risk Management Center, during an interview with the ThreatConnect Podcast.
Overall, the program will function across three major lines of effort:
- Build the Underlying Architecture for Cyber Risk Analysis to Critical Infrastructure
- Cyber Risk Metric Development
- Promoting Tools to Address Concentrated Sources of Cyber Risk
Cyber risk quantification will be a critical component of the Systemic Cyber Risk Reduction Venture, Kolasky said. However, most companies, including critical infrastructure companies, do not currently have the ability to accurately quantify risk in an automated fashion so that the most important threats and vulnerabilities to their business are prioritized.
“The quantification of risk has to be the consequence you’re trying to avoid. And so from a national security perspective, the consequence we’re trying to avoid is our loss of functioning of critical functions, or associated public safety and public security concerns,” Kolasky said. “And so as we think about cyber metrics, it’s really thinking about metrics in terms of functionality first and foremost.”
Kolasky said he hopes the development of cyber risk metrics will provide a starting point for companies’ to elevate cyber risk to their boards of directors and improve decision making. The first event around metrics development is expected to take place in March.
“Whenever I talk to chief risk officers or corporate boards about making sure that cyber risk is part of their overall enterprise risk governance approach, it all starts with, ‘what’s the thing you’re trying to avoid?’ And so in this case, the thing that businesses are trying to avoid is loss of business, loss of revenue, or loss of functionality that would cause their clients and their suppliers to lose faith in it,” Kolasky said.
“And so businesses really need to unpack the things that are their key value proposition, whether it’s functioning or whether it’s the data that enables them to have competitive advantage,” he said. “And then think about the mechanisms by which a cyber attack or a cyber incident can undermine those key business metrics.”
A recent survey by ThreatConnect, however, found that 50% of cybersecurity practitioners said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritize vulnerabilities and security alerts, and justify their future investments to mitigate those risks. The reason for this is two-fold:
- 41% of respondents said they do not have a formalized process in place to evaluate and rank cyber risks.
- 25% said they do not have a cyber risk quantification technology deployed at their company.
Automated cyber risk quantification technology takes the guesswork out of cyber-related business decisions. With its ability to attach a dollar sign to incoming threats, stakeholders across the organization can clearly see which incoming threats are the most dangerous, estimate the net financial loss if the threat goes unresolved, ascertain whether the organization has proper controls in place, and determine whether future technology investments are necessary for the health and safety of the business. This automated process takes the guesswork, and years of human error, out of the boardroom and allows for seamless and data-driven business decisions.