The World Economic Forum has together with its partners developed a cyber-risk management framework. The ‘cyber value-at-risk’ scheme combines the factors ‘vulnerabilities’, ‘value of the assets at risk’, and ‘profile of an attacker’ into one model, allowing organisations to make better decisions about investments in cyber security. Deloitte has managed the development process.
In the world of rapid expanding data-driven technologies, such as web, cloud, social, and mobile platforms, and increasing interconnection, cyber threats are becoming more and more of a problem as these technologies are inherently oriented to sharing data, not security. As a result, cyber risk management – protecting one’s business against targeted threats without disrupting business innovation and growth, is increasingly important for organisations*.
To help organisations tackle the problem of cyber risk, World Economic Forum’s (WEF) Partnering for Cyber Resilience initiative decided to develop new cyber risk management scheme, titled ‘cyber value-at-risk’. Alan Marcus, Senior Director of the Information and Communication Technology Industries at the WEF explains: “Continuous cyber-attacks on global organisations are showing that we are at a crossroad. The same technologies many organisations have become so dependent on can also threaten their very core. This is why we are launching a Future of the Internet initiative in Davos, including this critical cyber value-at-risk framework.” Professional services firm Deloitte, one of the WEF’s strategic partners, was asked to manage and guide the process.
According to WEF and its partners, businesses need to have a clear understanding of the risk environment; of both residual (known and assumed) as well as evolving (unknown and uncovered) in order to manage their cyber risks. In addition, focus should be put on asset (both digital and physical), not only on type of attacker and the methods used in the attacks. By building a complete cyber value-at-risk model that offers a comprehensive outlook on the organisation’s assets under threat, organisations can answer the following question: “Given a successful cyber-attack, my company will lose not more than X amount of money over period of time with 95% accuracy.”
Cyber risk management framework
The cyber value-at-risk framework standardises and unifies different factors into a single normal distribution that can quantify the value at risk in case of a cyber-attack and can be incorporated into the broader risk strategy of a company. The framework takes into account the components ‘vulnerabilities’, such as technologies, processes and people, ‘value of the assets at risk’, and the ‘profile of an attacker’. Using the framework, companies can address questions such as how vulnerable they are to cyber threats, how valuable the key assets at stake are, and who might be targeting them. Allowing them to make informed decisions on suitable responses to these threats. According to the developers of the framework, the purpose of the cyber value-at-risk approach is “to help organisations make better decisions about investments in cyber security, develop comprehensive risk management strategies, and help stimulate the development of global risk transfer markets.”
Commenting on the framework, Jacques Buith, Managing Partner at Deloitte Risk Services, says: “We need to be able to quantify cyber-risks if proper cyber-resilience assurance is to be achieved. Only then will management boards be able to take sound risk/reward decisions in this volatile world and thus secure their organisations’ cyber-resilience.”
* Consulting firm EY recently released new research showing the danger of cybercrimes as 37% of organisations are unprepared for a cyber-attack.