Cyber Risk Quantification: The Pressure Is On (New Survey)

Share the latest from ThreatConnect

New survey suggests companies aren’t prepared or equipped to deliver cyber risk quantification data

Cyber risk has long been acknowledged as one of the top risks facing companies of all sizes. And while it has traditionally been viewed as solely a technical issue, business executives and boards of directors are now demanding a view into the financial and business impacts of cyber risks, according to a new survey by ThreatConnect.

Seventy percent of security professionals who took part in a recent ThreatConnect survey said they are receiving medium to high levels of pressure to produce cyber risk quantification (CRQ) data for their business. The growing pace and sophistication of nation state attacks, coupled with an ever-expanding attack surface stemming from continued digital modernization, has focused the attention of business leaders on their ability to accurately quantify and prioritize cyber risks within the context of their individual business. Quantifying cyber risk is now an urgent priority for 2021.

“I think it’s incredibly important to evolve the way that we talk about cybersecurity,” said Michael Daniel, a former White House cybersecurity policy advisor and the CEO of the Cyber Threat Alliance, in a recent interview with the ThreatConnect Podcast. “Cybersecurity is now a critical enabler for most businesses to continue operating. And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”

However, half of those surveyed said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritize vulnerabilities and security alerts, and justify their future investments to mitigate those risks. The reason for this is two-fold:

  • 41% of respondents said they do not have a formalized process in place to evaluate and rank cyber risks.
  • 25% said they do not have a cyber risk quantification technology deployed at their company.

Automated cyber risk quantification technology takes the guesswork out of cyber-related business decisions. With its ability to attach a dollar sign to incoming threats, stakeholders across the organization can clearly see which incoming threats are the most dangerous, estimate the net financial loss if the threat goes unresolved, ascertain whether the organization has proper controls in place, and determine whether future technology investments are necessary for the health and safety of the business. This automated process takes the guesswork, and years of human error, out of the boardroom and allows for seamless and data-driven business decisions. 

More than half of survey respondents (52%) said they built or are building their own platform in-house – with many stating that the most well known and publicized solution in the space left them underwhelmed. With ThreatConnect RQ now on scene – and our unique approach to combining Risk, Threat and Response under one umbrella, there is now a much more attractive solution in the market. One that should change this “I guess we have to go it alone” thinking from early CRQ adopters.

Building your own solution is not a formula for success, said Jerry Caponera, Vice President of Cyber Risk Strategy at ThreatConnect. “It would take millions of dollars and many years to build a CRQ platform that is data-driven,” he said. “And building a CRQ platform with the industry-leading capabilities you need is probably not core to your business. Creating presentations might be core to your business, but you don’t build your own Powerpoint application.”

7 Reasons Not to Build Your Own Cyber Risk Quantification Platform

  1. Breadth of the Solution
    • Your business is not a unicorn. Most of your losses are similar to other companies. To build your own CRQ model would require data on what others are losing. You have to pay for and/or create that content, which is time-consuming and expensive.
  2. Subjective Versus Data-Driven
    • Creating your own content, model, and then output is a very subjective effort. The best solutions, however, are objective. For example, you could build your own car, but should you? Is that effort a core function of your business?
  3. Depth of Security
    • Cyber risk is not just about the financial losses. It’s also about the technical piece (eg. How do attacks work against defenses? How do TTP’s match up to actors and their capabilities? And how does that all correlate to the kinds of losses you can incur?)
  4. Time
    • This is a big effort. Our team has been at it for years. Data changes, models change, and you need to keep up with it.
  5. Cost
    • Time = money. Think millions of dollars to create something worthwhile on your own.
  6. Core Business Function
    • CRQ is a function you should leverage. Developing a CRQ platform is not a core function of your business. For example, creating presentations might be core to what you do but have you built your own competitor to Powerpoint to do that? Why would you do the same for CRQ?
  7. ‘What if’ Analysis
    • Even if you build a model, you’ll have to defend it. And if you managed to defend it you’re going to get asked questions like “what if we were to do xyz…” So you end up creating an entire in house effort that’s outside the core business and you are incapable of answering new questions or easily integrating new tools. 

“In the end, companies can build their own CRQ,” said Caponera. “But it’s taken us many, years and millions of dollars. And we’re committed to this for the long run.”


Share the latest from ThreatConnect
About the Author
Dan Verton
Dan Verton

Dan Verton is ThreatConnect's Director of Content Marketing. Dan is an award-winning journalist and a former intelligence officer in the U.S. Marine Corps. He has authored several books on cybersecurity, including the 2003 groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill) and The Hacker Diaries: Confessions of Teenage Hackers (McGraw-Hill). He has a Master of Arts in Journalism from American University in Washington, D.C.

Share the latest from ThreatConnect