How to Calculate Cyber Security Risk Value and Cyber Security Risk

There has been a lot of interest lately in formulas for calculating cyber security risk value. That is not at all surprising given the crisis in cyber security that has intensified so greatly in the last few years. Every interest from large government organizations and corporations to small businesses and even individuals are struggling to get a handle on data breaches, ransomware, supply chain attacks, malware incursions and all the other cyber-ills that are besetting us from every angle. And to gain that handle, interests must be able to assign relative value to their information assets and systems. It only makes sense that you provide the highest level of protection to those information assets that are the most critical to the organization, or those that contain the most sensitive information. Hence, the need for the ability to calculate risk value.

The formula for risk value, as it pertains to cyber security, is simply stated as the probability of occurrence x impact. This should not be confused with the formula for calculating cyber security risk, which is risk = (threat x vulnerability x probability of occurrence x impact)/controls in place. As can be seen, cyber security risk value is a subset of the larger cyber security risk calculation. It is useful because it allows the organization to assign a value to the risk, either in terms of the level of risk (i.e. high, medium or low) or the actual cost of the risk (i.e. dollars, time or reputation). The more realistically risk value can be calculated, the better an interest can rate the actual value of an information asset to the organization. In other words, it is the meat of risk assessment.

So, lets take a look at the two factors in risk value and see how we can calculate them. First is possibility of occurrence (or likelihood) determination. According to NIST, to derive the overall likelihood of a vulnerability being realized in a particular threat environment, three governing factors must be considered:

  1. Threat source motivation and capability: Is the threat source liable to be interested in the information asset? Can they make money or gain advantage from it? Do they have the ability to get at the asset? Is there known malware or social engineering techniques that may be able to get at the asset?
  2. Nature of the vulnerability: Is the vulnerability due to human nature? Is it a weakness in coding? Is it easily exercised or is it difficult to exercise? Is it presently being exploited in the wild?
  3. Existence and effectiveness of current controls: What security mechanisms are in place that could possibly prevent or detect exercise of the vulnerability? Have these controls been useful in stopping similar exploits in the past? Have other organizations demonstrated controls that have been effective in countering exercise of the vulnerability?

There is also a handy table for rating the likelihood of occurrence as high, medium or low:

 

Likelihood Level Likelihood Definition
 

High

The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
 

Medium

The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
 

Low

The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

 

Now let’s look at the other factor: impact. When judging the impact of the compromise of an information asset, we need to carefully consider a couple of factors:

  1. System and/or data criticality: What would happen if the information asset was illicitly modified? (Loss of integrity) What would happen if the information asset or system was not accessible or working? (Loss of availability) What would happen if the privacy of the information asset was compromised? (Loss of confidentiality) How much money per time period would the organization lose if the information asset was compromised?
  2. System and/or data sensitivity: Is the information asset proprietary to the organization? Is the information asset protected by government or industry regulation? Could compromise of the information asset lead to lawsuits? Could compromise of the information asset lead to loss of reputation or business share?

It should be noted that impact levels can be gauged in two ways: Quantitatively or qualitatively. Judging impact quantitatively means putting an actual dollar value on the successful compromise of an information asset. This type of impact analysis is very useful to business management, but is very difficult to accurately calculate in many cases. In my opinion, quantitative impact analysis works best when the complexity of the system is small. As complexity grows, so does the inaccuracy of the calculation.

Qualitative impact is easier to calculate, and is liable to be more useful when judging impact of complex systems or the enterprise as a whole. Qualitative impact ratings result in levels of impact such as high, medium or low, although I have seen impact level granularity of five or more levels. NIST has a handy table for judging the magnitude of a business impact:

 

Magnitude of Impact Impact Definition
 

High

Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
 

Medium

Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.
 

Low

Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

 

I personally have employed these paradigms and definitions in performing risk assessments for a number of organizations of many types over the last two decades and have found them very useful in assigning both risk value and overall risk to organizations. They help me to be inclusive and clear in in my judgments while operating in a world of complexity and uncertainty.