When it comes to managing cyber risk, you cannot effectively manage what you cannot properly measure. According to Jeff Welgan, executive director and head of executive training programs at CyberVista and speaker at FEI’s 2019 Financial Leadership Summit, business leaders need to be aware of and prepare for the following six types of impacts:
- Financial: Costs associated with primary and secondary losses continuing to rise year-over-year
- Operational: Disruption to key business operations and systems
- Strategic: Impacts to brand value and reputation, like abnormal customer churn
- Physical: Where virtual meets physical. i.e., threats to physical objects, critical infrastructure, and human life
- Regulatory/compliance: Increased regulations, fines, and penalties, civil and class action lawsuits
- Personal: Attempted lawsuits targeting the board of directors and “early retirements” for executives
Though the financial and reputational risks of cyber-attacks are obvious, we may not consider the other impacts, such as physical and personal.
“We have to consider the physical implications. This probably doesn’t affect most organizations in this room today,” Welgan told the audience. “But on the manufacturing side and on the healthcare side, you should see more and more of this now or be more concerned with this.”
On personal impacts, Welgan shared, “Sometimes ROI stands for risk of incarceration.” He also pointed to the many executives who have lost jobs over big breaches.
When it comes to confidently measuring risk, it’s important to define the difference between prediction, probability, and possibility. “Prediction is making concrete statements about what’s going to happen in the future or at least alluding to the fact that something will or will not happen,” explained Welgan. “It would be the same thing as saying you have a deck of cards, and the next card you are going to pull out is an ace of spades. It’s better if we can move towards a model that is more quantifiable: ‘You have a probability of 1 out of 52 that the next card you pull is an ace of spades.’ So there is a discrete difference between those two. We also have to look at probability in the sense of big events. Is it probable that when you go home to New York City, you’re going to get attacked by a tiger if you get out of the car? Probably not. But is it possible? Yes.”
Another important distinction is subjectivity versus objectivity. “We want to avoid this at all costs with cyber-risk quantification,” said Welgan. “When we say our cyber risk is high or low or medium, that is really a subjective measurement. We need to move towards actually objectivity.”
Using the Factor Analysis of Information Risk (FAIR) model, organizations can measure, manage, and report on information risk from the business perspective. Welgan says that effective risk management requires making well-informed decisions, which require effective comparison. “Think about when you’re buying a car. You’re going to go buy a BMW or an Audi. In order to do that, and make a well-informed decision, you need to start comparing those two cars. Which one has more features in it that you like? Color might be a factor. Cost certainly might be a factor. You want to find out what these meaningful measurements are so you can make those effective comparisons. When we talk back to the cyber realm, we need an accurate model to make those measurements, and that’s where the FAIR model will come in.”
For FP&A, there’s risk, then there’s uncertainty. Do you know the difference?
This article originally appeared on FEI Daily and is republished by permission.