Cyber risks have risen to the top of the list of threats to business prospects. In a 2020 survey conducted by Harvard Business Review Analytic Services of 168 US executives sponsored by PwC, for example, 74% of respondents named cyber risk as one of the top three risks their companies face. That puts cyber risk well ahead of the next risk category, risk of business disruption and systems failures, which only 42% cited.
Cyber threats constantly occur and evolve. Companies face different threat actors working through different threat vectors to create different risk events.
How to defend against cyber threats without breaking the bank? Start by quantifying cyber risks. By determining the likely financial impact of different threats, you can direct finite resources to fend off the greatest threats. In PwC’s Global Digital Trust Insights 2021 survey, 17% of cyber managers told us they have already done so. Sixty percent are starting to. Another 17% plan to.
“Better and more granular” is key because accurate, actionable cyber risk quantification is not easy. Cyber risks are different from more traditional risks (such as economic or market ones), which risk managers have long experience modeling. These risks come from strategic adversaries who are constantly switching up their technology and methods to seek out weak spots in yours. It can be highly challenging to build a reliable, standardized risk-assessment model to meet this fast-changing combination of economic, social, behavioral and highly technical factors.
Yet supported by the enormous growth in data on cyber risk, companies today can successfully make a sophisticated financial assessment of the cyberthreats that they face. They can then focus resources toward managing the gravest risks.
How advanced are companies in quantifying cyber risks? According to the Harvard Business Review Analytic Services survey, fewer than half have risk matrices for cyber threats. Most of the matrices that do exist lack the sophistication decision makers need. Many are just spreadsheets with risks subjectively scored as low, medium or high.
Only a tiny minority of survey respondents use open-source FAIR methodology, analyze causal relationships in high-risk scenarios or deploy actuarial models for cyber risks. Yet if based on solid data and methodologies, these models can help provide what companies really need: a financial estimate of the risks.
The survey also revealed a tale of two sizes: Shortcomings are particularly acute in companies with fewer than 10,000 employees. Compared to larger companies, they are four times as likely not to apply any kind of quantitative assessment of cyber risks. They are almost half as likely not to use even rudimentary risk matrices.
The two major triggers for quantifying cyber risk are the need to improve cyber risk management and to prioritize (and justify) cyber spend. The current gaps in these areas are glaring.
On risk management. Fewer than half (45%) of the respondents in the Harvard Business Review Analytic Services survey “strongly agreed” that they had a formalized process to evaluate cyber risks in line with business priorities. Fewer than half (42%) expressed such strong confidence in their ability to adjust cyber investments to match changes in the risk landscape or in business priorities. Scarcely a third (36%) strongly agreed that they aggregate cyber risk with other enterprise risks to help leadership understand overall enterprise risk tolerance.
On prioritization of cyber spending. Fewer than half (45%) were very confident that their cyber spend is allocated to the most significant risks, according to our Global Digital Trust Insights 2021 survey. Fewer than half (42%) were very confident that their cyber spend is focused on the remediation, risk mitigation and/or response techniques that will provide the best return.
These shortcomings show up in low board confidence. In our survey of 693 corporate directors, only 32% said they understood their company’s cyber vulnerabilities very well. By comparison, 87% said they are very familiar with their company’s strategy and 68% with the competitive landscape.
More than half lack confidence that their cyber budget³
is focused on remediation, risk mitigation, and/or response techniques that will provide the best return on cyber spending
includes monitoring the effectiveness of our cyber program against the spending on cyber
1. To what extent do you agree or disagree with the following statements? Base = 168 US executives. Source: Harvard Business Review Analytic Services Survey, April 2020.
2. What are your organization’s most important reasons to quantify cyber risk? Select up to 5. Base = 168 US executives. Source: Harvard Business Review Analytic Services Survey, April 2020.
3. Regarding your organization’s current cyber budget and processes, how confident are you with regard to the following? Base = 3,249 respondents globally. Source: PwC, Global Digital Trust Insights 2021, Cybersecurity comes of age, October 2020.
For the few companies that are using cyber risk quantification successfully, the benefits are significant. One major financial services organization now assesses the financial risk that cyber threats pose and puts a dollar figure to how much of that risk they are mitigating. Any board and CEO can understand if a security leader says, “We’ve got $750 million in inherent risk, and our current cyber program mitigates $520 million of it.”
Another company — a serial acquirer — now has better visibility into the likely costs of the cyber risks that potential acquisitions may present. As a result, they can now execute their acquisition strategy better and more quickly. Yet another company now produces daily assessments of the risk posed by different cyber threats and, with a daily check of the health of its controls, the company can act more quickly to reallocate resources.
After a Fortune 100 company quantified cyber risks associated with its manufacturing plants, it achieved a new capability: It can now tailor its cybersecurity investments in individual plants to help reduce the risk of disruptions in production — in line with set risk tolerances. Before cyber risk quantification, the company had been obliged to rely on incident histories and blanket controls, a far less exact approach.
As more companies quantify cyber risks with the speed and sophistication that decision-makers need, we should see improvements beyond the current state. Today, fewer than 15% are very successful in achieving better insights for better decision-making, in achieving better preparation for future cyber incidents, and in making more data-driven decisions on conflicting objectives such as risk versus revenue.
Companies with sophisticated cyber risk quantification often share a key characteristic: They are advanced in integrating their cyber risk model with their enterprise risk model and overall data-driven risk management. When cyber risk quantification doesn’t yield benefits, it’s often a sign that either this integration is inadequate or that some fundamental capabilities are lacking.
The road to sophisticated cyber risk quantification is paved by five mutually-reinforcing capabilities. These priorities will take work, but the ultimate payoff — winning the confidence of the CEO, board and investors in your ability to help manage cyber threats while increasing the return on your cybersecurity investments — can be worth it.