Leadership Development, Strategy and Governance /

Information Security: Quantifying Cyber Threats

Security Meter

In line with the 2015 World Economic Forum (WEF), which took place in Davos, Switzerland in January, the Partnership for Cyber Resilience published its latest report “Towards the Quantification of Cyber Threats” – in collaboration with Deloitte.

The report summarises the activities of the Partnership across 2014, which have been focused on the modelling of “cyber value-at-risk” – in an attempt to build a common cyber security framework amongst stakeholders.

Information Security transformation experts Corix Partners share their views on the report and its relevance in the context of today’s cyber security challenges.

How important is cyber value-at-risk for cyber security practitioners today?

The previous report published by the Partnership for Cyber Resilience in January 2014 (“Risk and Responsibility in a Hyperconnected World”, in collaboration with McKinsey & Company) highlighted very low cyber security maturity levels across large corporates. We would have expected follow up work in that area, helping companies get themselves onto the first steps of the cyber security ladder.

Cyber-risk modelling is a topic of some complexity, both theoretically and mathematically. Selecting a topic of such complexity is not likely to help the security industry move forward over the short term, especially when most actors have been struggling to get to grips with the basics for many years. It’s a concept we rarely come across in the field and it’s therefore difficult to understand why this group of experts would have singled it out for further research out of their previous year’s activities.

The vision behind the report is clear: the development of a common cyber value-at-risk model can lead to the harmonisation of cyber security practices and to the emergence of more mature cyber risk insurance vehicles and markets. But the report rightly acknowledges the enormity of the task in absence of reliable input data. At best, it offers a very long-term vision – albeit one that may never materialise if maturity levels do not develop faster across large organisations.

How valuable is the 2015 report?

The report makes some valuable contributions to the cyber-risk modelling debate, which have been rightly analysed by Dr John Leach in a recent post.

However, for us, it also reflects some of the issues that were already very apparent in the 2014 report – “Risk and Responsibility in a Hyperconnected World” – which we highlighted in our commentary article.

The report seems to take a very technology-centred view, failing to explicitly acknowledge people and business processes as assets. It refers often to “vulnerabilities” (a technologist term), defining them in a technical language. The term “control” (which might have been more appropriate) is only used once in context (“the 2014 survey showed that 50% of technology executives regard controls as a ‘pain point’ or a ‘limitation’”). When it finally gets to the subject of “mitigation strategies”, again it refers to them mostly in terms of “systems”. The basic fact that protection against threats is the result of the layered application of controls across the organisation through people, processes and technology does not seem apparent or understood.

It also fails to offer clear definitions around key concepts and is imprecise in its use of language, for example using the words “risk” and “threat” almost interchangeably in some parts of the report.

The 2015 report lacks the right historical perspective and seems to present cyber value-at-risk modelling as a new concept, without acknowledging earlier work in or around the space that could have contributed. As Dr Leach points out, the topic is not new – and starting with a sound examination of the state of the art could have helped. Many Information Security practitioners would also remember the various attempts over the past 10 years to model returns on security investment, or the various threat models that exist (for example, amongst many others, the one published by the UK Government under IA Standard No 1 – latest version 3.5.1 dated October 2009). Each of those, in their own context, could have provided valuable lessons.

However, in its final paragraphs, it rightly acknowledges the importance of board-level involvement and of having the right governance models in place. But overall – for us as practitioners in the cyber security space, who work every day in the field with CIOs and CISOs on these matters – it does not offer a great deal of material we can take away to help our clients (and the security industry at large) move forward.

What could the Partnership for Cyber Resilience and the WEF do to help the security industry move forward?

The 2014 report (“Risk and Responsibility in a Hyperconnected World”) was hugely valuable to us in that context. It positioned the cyber security context in a true economic perspective, and the survey it contained confirmed a number of key facts. In particular, the very low cyber security maturity levels achieved by large corporates – in spite of spending huge amounts in that space – are something we come across in the field every day. We believe these low maturity levels in large corporates are rooted in wide-spread governance and organisational problems surrounding cyber security that span the last 10 to 15 years.

For the security industry at large to move forward, strategic focus is essential and investment needs to shift away from the short to medium term towards a longer term. Attitudes and language also need to shift towards reality and action. It is key for the security industry to start driving a message towards executive management that talks less about “risk” – because ultimately it will always imply dealing with events that may or may not happen, and quantities you can ignore or transfer. This only perpetuates the illusion that cyber crime and a fundamental failure to properly address Information Security don’t pose a real threat.

It is essential to talk more about “threats” (something that can cause harm), “assets” (people, processes, physical items, premises, information & technology that you want to protect from harm) and “controls” (something you can actually do to protect assets against threats). It’s vital to shift focus back to the basics that can prevent up to 80% of cyber attacks (UK GCHQ – “Countering Cyber Threats to Business” – Institute of Directors Big Picture – Spring 2013) with the view of building effective and efficient protection frameworks.

In parts, the 2015 report (“Towards the Quantification of Cyber Threats”) aims at achieving this – but its focus on the mathematical modelling of cyber value-at-risk is too complex to be the right catalyst, given the low levels of cyber security maturity across large organisations.

JC Gaillard

Managing Director

Corix Partners

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Security Strategy, Organisation & Governance challenges.

This article was originally published in Enterprise CIO Forum on 26th February 2015 but is no longer available online on their website.