The past decade has seen a significant advance in cyber risk assessment maturity. There has been wide recognition that security and risk frameworks provide excellent process for assessing risk, but miss out on defining exactly how to compute and communicate risk. Increasingly, corporate boards have been asking for quantitative measures of cyber risk, similar to what other disciplines in the organization have been doing for a long time (e.g. measuring financial impact). Instead of being content to continue providing stoplight chart risk reports, CISOs are moving toward providing reports of economic impact of cyber incidents. This move helps support critical board-level and executive decisions regarding capital adequacy and cyber insurance purchases.
This maturation in risk practice was given Gartner’s imprimatur in 2018, when their analysts declared Cyber Risk Quantification (CRQ) as a critical component of integrated risk management. This was a clear indication that the future of cyber risk assessments would be to assess and present it the same as other corporate risk disciplines. Supporting this effort was the FAIR Institute, founded in 2014 and which currently has nearly 6,000 members worldwide, covering about 30 percent of the Fortune 100. The FAIR Institute was founded to promote the de facto CRQ standard, FAIR, which was released by the Open Group.
All this great progress, however, has been primarily focused on the private sector. One notable exception is the US Department of Energy (DOE), which has publicly indicated that it will be using the FAIR standard to conduct CRQ assessments on critical infrastructure, both public and private. Others in the public-sector service can find comfort in the DOE’s trailblazing example. One key threshold that a lot of public-sector organizations struggle with when adopting CRQ is the notion of expressing cybersecurity as financial risk. In many ways, it appears at first blush to be anathema to public sector service; their work is truly service to a broad population. Profit and loss are foreign concepts in that realm. In many cases, such public-sector work is literally done to save lives, and after all, how can we put a dollar value on that?
As it turns out, accounting for human life in the process of decision analysis has long been a common practice in social and political sciences. This concept is called “value of a statistical life,” or VSL. It’s been in use for some time by the very public-sector agencies that are in need of help assessing cyber risk in a quantitative way: the US Department of Transportation, FDA, EPA, and various public health plans. These values have been placed as low as $129,000 per year of life to as much as $9.6 million per life. Such values are used to provide a richer tapestry of information for decision-makers as they allocate limited resources. It does not serve in any way to cheapen life or any of these organizations’ missions. Instead, it helps these organizations accurately evaluate public policies to budget investments based on anticipated outcomes. It’s no different for cybersecurity.
Once an organization is able to vault over the inertia of not wanting to quantify these values, they can quickly see improvements in their organizational risk assessments. For public-sector organizations, this can manifest itself in stark contrast to existing methods. Consider the difference in cyber risk assessment or cybersecurity strategy discussions between a work product that essentially says “this is high risk therefore we need to do it,” versus “not fixing this deficiency/investing in this new capability will expose our constituency to $5 to $10 million of economic impact annually.” It becomes a far more compelling and persuasive conversation to be able to articulate and defend your assertions. So, too, does it place the appropriate level of accountability on the decision-makers to formally accept the risk associated with their decisions.
Accounting for these values in your public-sector CRQ assessment using the FAIR standard can be done by considering the broader economic impact of a cyber incident. Instead of thinking about an availability incident affecting sales, consider a municipal services availability problem. State and local governments in the United States are increasingly becoming the target of ransomware and, in cases such as the city of Baltimore, we are seeing problems with water and other critical services. As the city recovers, customers are getting large water bills to make up for months of the city being unable to run accounting and billing processes. Further, the city has been unable to collect the revenue incrementally, endangering its ability to fund this critical infrastructure.
These kinds of events can be straightforward to foresee and, as a result, straightforward to account for the economic impact. If a critical public-sector service is unavailable, then what are the impacts to the community serviced by them? Can businesses operate without it? What is the impact on tax revenue if the power goes out and commerce is unable to be conducted? How many people will be unable to work as a result of public transportation being unavailable? How does this impact the most vulnerable in the community, who often have little economic cushion to fall back on during crises? Accounting for the number of people affected by estimates of how many people will be displaced, lose their housing, be unable to purchase critical medications and food, etc. is the right way to think about CRQ economic and financial impact for public-sector concerns. The same is true for confidentiality losses: how will a breach of local taxpayer information affect the citizens you serve? What kinds of economic activity will it hinder, how many hours of their time will be spent rectifying fraudulent events, and what is the economic impact of a loss of privacy?
These kinds of questions and more can be the basis for assessing quantitative cyber risk impact scenarios for public-sector organizations that plan to use the FAIR standard. FAIR advocates using the accounting process called activity-based costing (ABC) to think about all the costs incurred by various parties as events plays out in the lives of those affected. This will give the organization a sense (using ranges of impact representing least, most, and most-likely results) of where priority for a particular service lies. When we consider how much citizens rely on their government’s providing basic services and critical infrastructure, it is imperative that we endeavor to accurately reflect the economic impact of the failure of these services not just on the for-profit industry, but on the underserved and vulnerable in the community who need these services the most. Not providing accurate valuations of the impact on human life will result in a misallocation of resources at best, and unnecessary loss of life at worst.
About the author: Jack Freund, Ph.D., CISA, CRISC, CISM, is director, risk science for RiskLens, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.