Cyber risk valuation: Show me the money

Abstract

Historically, qualitative risk analysis has been the method utilised by information security professionals and risk managers to identify and prioritise the risk associated with the use of IT systems in business operations to meet business goals and objectives. That is changing – with the C-suite and Board of Directors across the various industries, as well as public and private sectors, considering the increasing volume and cost of data breaches as a significant business risk, they are demanding the expression of cyber risk and the relative measure of risk or asset value based upon objective quantitative analysis. While probability and likelihood still factor into the equation, CISOs must now demonstrate the value they bring in securing the value of business by justifying the investments in cybersecurity technologies, processes and people in specific financial terms. ROI is nearly impossible to define, so the concept of cyber risk valuation is becoming more prevalent and is projected to be the primary means used by cyber insurance brokers to determine the level of cyber risk and cybersecurity maturity of an organisation when considering coverage options and policy exclusions.