Cyber risk has no obvious shape or size. That’s why it’s such a thorny problem – it is exceedingly difficult to pinpoint factors that drive risk. As a result, it is nearly impossible to build actuarial models that present a reasonably accurate depiction of expected outcomes. In order to understand the problem, it’s important to examine the factors that determine the shape and size of a risk.
Generally speaking, risk can be defined as the probability of an event’s occurrence multiplied by that event’s expected impact. The equation [Probability * Impact = Risk] provides a pretty rough approximation, and it serves as a good starting point when building a risk model. Risk models gain clarity as the modeler achieves increasing confidence around estimates of both probability and impact.
The probability of a cyber breach is almost 100%. At any given moment, there is a certain probability that your network or organization will suffer a breach. Over time, the collection of all those moments adds up to a near certainty that you will be breached. The chance remains the same at each passing minute – but on a long enough timeline, the survival rate for everybody drops to zero. Because this estimate is regarded as nearly certain, the confidence level doesn’t offer much room for improvement.
So what about impact? While the probability of a breach hovers around 100%, the expected impact is generally a big fat question mark. Generally speaking, we have very low level of confidence in any estimate of impact. This lack of confidence reflects a general state of uncertainty about the way that companies handle data, and the extent of the damage that can be caused when data is not properly protected. This uncertainty is what drives high cyber insurance premiums and exclusions.
People often say of cyber breach, “it’s not a matter of if, but when.” While that certainly sounds dramatic, it’s not helpful because it offers no actionable insight into risk management. A message posed this way insinuates that all is lost. It is often meant to capture the attention of leaders, but it has the side effect of neutralizing any positive action.
Perhaps a more helpful sentiment is “chance favors the prepared mind.” If we accept that a breach is inevitable, then proper preparation is not just sensible, but critical. In fact, the only hope we have of minimizing the damage from a breach is to prepare in advance, and the preparation will help increase confidence in our estimates of impact from a breach.
A risk is simply a potential event with an expected outcome. In areas of certainty, there is no room for improvement – nothing can be done to improve outcomes. Therefore, to improve our approach to risk management, we must identify the areas of greatest uncertainty. and determine how best to define the factors that determine the impact of a breach. To the degree that we can correctly estimate any risk’s likelihood and impact, we can make good decisions around how to accept, mitigate, or transfer it.