However, understanding these concepts can be daunting for individuals without specialized skills in the field. One of the primary barriers to understanding cyber risk and cybersecurity lies in the dense web of technical jargon and complex terminology that surrounds the field. Concepts like encryption, vulnerability assessment, and intrusion detection systems can seem like an indecipherable foreign language to non-technical individuals. Cyber risk is also dynamic, sophisticated, and constantly evolving. As technology advances, so do the tactics and techniques employed by cybercriminals.
Finally, unlike tangible physical risks, cyber risks are often abstract and intangible, making them harder to grasp for individuals without specialized knowledge. The consequences of a cyber-attack may not be immediately visible or easily quantifiable. For instance, the potential loss of personal information, financial resources, or reputation can be difficult to fully comprehend until one becomes a victim. This abstract nature makes it challenging for non-experts to appreciate the significance and urgency of cybersecurity measures.
Considering this context, we propose three ways to make cyber risk and cybersecurity data visible and communicated across the organizations:
- Conducting a cybersecurity maturity assessment.
- Performing a cyber risk quantification process.
- Delivering a cyber crisis simulation (also called cyber tabletop exercise).
Firstly, a cybersecurity maturity assessment helps organizations evaluate their current state of security posture. It provides a comprehensive view of the effectiveness of existing security controls, processes, and technologies in mitigating cyber risks. By assessing the maturity of cybersecurity practices, organizations can identify gaps and areas of improvement within their security program. Organizations can set realistic goals and define a roadmap for enhancing their cybersecurity posture by understanding the current maturity level.
After finishing these kinds of exercises, these are some examples of the information that could be communicated within the organization:
- Our cybersecurity maturity level against a tailored cyber risk framework (merging NIST Cybersecurity Framework v1.1 and CIS Critical Security Controls v8) is Medium. Its rating is 2,73 out of 5,00.
- Comparing our rating against other peers, we can infer we are slightly below the average rating (2,9 out of 5,00).
- Since the NIST Cybersecurity Framework functions DETECT (1,5 out of 5,00) and RESPONSE (2,1 out of 5,00), are the ones with lower rating, if we suffer a cybersecurity incident, the impact (losses), as the basic risk component (risk=likelihood x impact) is the variable that, in general terms, would weight more.
Secondly, a cyber risk quantification process makes it possible to convert and communicate cyber risk data into helpful information for decision making across the different divisions of an organization. This consulting process provides clients with detailed financial quantification of their cyber risk, customized to the organization’s specific circumstances. Such a process helps to answer the following questions about cyber risk.
- From the CEO´s perspective, the main question is how can we estimate the financial impact cybersecurity incidents will have on our business next year?
- From the CFO´s point of view, what is the ROI of the investment required to manage (mitigate or transfer) cyber risk?
- From the Risk Manager´s vision, how can I explain to the rest of the board the expected losses due to cyber incidents in the coming years?
- Finally, from the CISO´s standpoint, how do I justify a certain investment in mitigation or people to reduce existing cyber risk?
After finishing these kinds of exercises, these are some examples of the quantitative information that could be communicated within the organization:
- In the next 12 months, the likelihood of suffering a cybersecurity incident with an impact higher than 2.599.988 € is 25%, higher than 5.368.195€ is 10% and higher than 13.706.285 is 0,5%.
- The incident causing major losses is the S01 (S01-Ransomware AD Domain Controllers). In extreme cases, we can lose more than 8.000.000€ with 0,5% likelihood only for this scenario. In catastrophic cases, we can lose more than 17.000.000€ with 0,01% likelihood.
- The major calibrated expected cyber losses type is the third-party claims and civil responsibilities. This loss represents the 85% of the expected losses. In extreme cases, with 0,5% likelihood, we can lose more than 8.000.000€ related to the third-party claims and civil responsibilities. In catastrophic cases with 0,01% likelihood, we can lose more than 13.400.000€.
- Based on insurance theory, ideally, the general indemnification limit of a cyber insurance should be no less of 9.700.000€.
Finally, a cyber tabletop exercise is a simulated training activity designed to test an organization's preparedness and response capabilities in the event of a cyber incident. It involves bringing together key stakeholders from various departments, such as IT, security, legal, communications, and executive leadership, to participate in a facilitated discussion and scenario-based simulation. In a nutshell tabletop exercise empowers key people to make the best possible decisions at the right time.
These are some of the questions that should be answered and discussed during a tabletop exercise:
- What, when and how to do if the organization suffers a cybersecurity incident?
- Who are the key stakeholders responsible for managing the incident?
- Who is accountable of advising third parties? Who is responsible for disconnecting the network services? Is this allowed? Would the organization pay for ransomware?
- Who is responsible for dealing with the media if an undesired message is published in social networks?
In conclusion, we propose three effective strategies to enhance the visibility and communication of cyber risk and cybersecurity data within organizations. First, conducting a cybersecurity maturity assessment allows organizations to evaluate their current cybersecurity posture and identify areas that require improvement. Second, performing a cyber risk quantification process helps organizations understand the potential impact of cyber threats and determine their risk exposure. By quantifying cyber risks, organizations can make informed decisions about risk mitigation and transfer strategies, prioritize investments in cybersecurity measures, and communicate the potential consequences to key stakeholders.
Lastly, delivering a cyber crisis simulation, commonly known as a cyber tabletop exercise, promotes a proactive approach to preparedness and effective communication and collaboration during high-pressure situations.