I frequently see discussions on the need (or not) to quantify cyber risk. I tend to side with the “quantify” folk.
I also see discussions on how to quantify cyber risk, and while there is no universal agreement, the FAIR methodology is favored by many practitioners.
But before we think about how to quantify cyber risk, we need to decide why we need to quantify it.
What is the question to which quantification is the answer?
What does $420 million or any other number mean unless you can use that quantification to answer a business question?
I think the question is in two parts:
- Do I need to act to reduce the risk to the business and its objectives, and
- How much should I spend on what given my constraints, such as:
- The available options, their effectiveness, and our ability to use them
- The diminishing rate of return on investments in cyber beyond a certain point
- Available resources (including business-practical borrowings)
- Competition for those same resources, especially from hose with a comparable or better ROI. This is almost always overlooked by InfoSec practitioners.
- The need to maintain liquidity
- The risk that additional investment will prove less than useful as hackers evolve
It is possible that the CEO and the board will look at a quantification like $420 million and say that’s too much. But…
