Managing cyberrisk is plagued by a fundamental challenge: how to characterize enterprise cyberrisk in a way that lends itself to management action. Classifying risks in broad terms such as “high,” “medium,” or “low” does not truly support effective risk management decisions and resource allocation. The value-at-risk (VAR) concept offers firms a game-changing new approach.

VAR developed in investment banking in the 1990s to help managers identify the risks that really mattered among multiple daily market risk reports and to build a strategic view of enterprise risk. As the name implies, VAR is a measure of the likely financial impact of a risk event within a specified time horizon.

The great benefit of VAR for cyberrisk management is that it both quantifies risk and expresses it in economic terms that can be understood by boards and throughout the executive suite. It also helps address the longstanding challenge of aggregating cyberrisk with other operational risks in the enterprise risk management framework.

But adapting VAR to cyber is a journey that companies are only just beginning as new methodologies, data and tools mature. The chief information security officer (CISO) can and should be in the driver’s seat, working with the operational risk officer and chief risk officer to move the enterprise to a new level of maturity in cyberrisk management. The adoption of a VAR approach will put CISOs in a much better position to offer objective answers to fundamental questions from executives and the board, such as:

• What are our top cyberrisks in terms of probability and severity?
• What impact will risk mitigation/transfer plans have on these risks?
• How large are our cyberrisks compared to other enterprise risks?
• How might our business expansion plans increase our cyberrisks?
• What are our most cost-effective risk management strategies?

What is the value of cyber VAR?

CISOs can begin by developing a clear understanding of what VAR offers to cyberrisk management. The cyber VAR concept can help with critical decisions, such as defining cyberrisk appetite and assessing the optimal allocation of cyberrisk management resources as the two examples below illustrate.

Risk appetite

At the enterprise level, risk should be managed against the company’s board-agreed risk appetite, that is, the degree of risk the company is willing to assume.

Until recently, applying the risk appetite concept to cyberrisk with quantitative precision and confidence has been a challenge. VAR changes that. It offers boards a dollars-based framework for integrating the decisions about the three big components of a cyberrisk management strategy:

• Risk appetite
• Investment in mitigation measures
• Risk transfer, including limits and retention.

As a first step, cyber VAR allows the firm to calculate its risk exposure without taking account of mitigation measures, and then to compare this with mitigation measures in place. This clarifies the risk reduction benefits of risk management measures and security controls, and gives the board something to work with in setting the risk appetite.

Over time, the company can use cyber VAR to monitor its developing cyberrisk profile against its agreed risk appetite as threats and business activities change.

The language of numbers

Gaining the strategic advantages of calculating cyber VAR has become a practical proposition over the past couple of years, as new tools and methodologies have made their way into the market. Generally, the existing building blocks of most cybersecurity programs can be leveraged to define the three key inputs required for the new cyber VAR tools:

1. Total exposure: Define and estimate the total exposure of the business in relation to its IT systems, business applications and data. The total exposure consists of the cost of the hardware and software, as well as loss of revenue or other business impact if the system were unavailable. Recovery costs should also be included, along with fines and notification costs for privacy breaches, the cost of lost intellectual property, and other liabilities.
2. Attack type/probability: The analytical model must capture the nature and capability of the cyberthreat, given the company’s industry sector and activities. For example, does the biggest threat arise from a hacktivist causing a business interruption, criminal attempts to steal intellectual property, or breaches of confidentiality? Emerging industry statistics and studies can help here.
3. Controls effectiveness: Firms must carefully detail the controls environment and the effectiveness of individual controls.

Firms should avoid using audit-style checklists to capture the controls environment. Instead, the goal must be to assess the effectiveness of the controls based on how they are implemented, managed, and operated in the specific environment. Human factors are so critical that it is all-important to apply the judgment of an expert analyst.

The analyst should benchmark the company against a well-accepted cybersecurity controls framework, such as the NIST Cybersecurity Framework or the Center for Internet Security Critical Security Controls. These frameworks typically cover some 250 controls, which is the depth needed in order to build the greatest confidence in the cyber VAR calculations.

The cyber VAR methodology, like its VAR predecessor in the financial sector, usually employs a Monte Carlo simulation to generate the loss probability distribution.

Tom Fuhrman is a Washington, D.C.-based managing director for Marsh Risk Consulting, focusing on cybersecurity consulting and advisory services.