You can’t manage what you can’t measure – and unfortunately, measuring cyber risk exposure can be quite difficult.

That’s not, of course, because no one attempts to put labels on risks and threats. In fact, there is a great deal of effort placed on identifying, quantifying, and deciding how to manage cyber risk. For example, most vulnerability databases, including NVD, include severity ratings designed to help organizations determine just how much of a risk each vulnerability poses. We at Cyberint include risk scores in the data we give to businesses to help them manage threats. 

Despite these efforts, there are major challenges that arise when trying to measure risk. 

Challenges With Measuring Cyber Risk

In general, organizations attempt to categorize cyber risk using matrices that look something like this:

There are a few challenges that arise from this approach:

• It’s very difficult to accurately estimate the probability of an event, even with plentiful data and information available.
• Predicting the severity of an event before it occurs is also very challenging. After all, hindsight is 20/20.
• There’s limited standardization in assigning probabilities or severity to specific events. For example, there is no common unit of measurement to quantify the severity of a risk or event.
• Different organizations will define different events in different ways. For example, one organization may reserve the term “security incident” for only very severe events, whereas another organization may count very minor events as “security incidents.”

The reality is that risk management is rarely as neat and tidy as scoring systems imply. The same risk may affect different organizations in different ways. Depending on the types of IT environments you operate and how they are configured, a risk that might be severe for one organization may turn out not to pose any threat to you, or vice versa.

Plus, risks can change in real time, and they are affected by many variables. Leaked employee credentials that appear on the Dark Web may not be a big deal initially. But they can become a serious risk if a ransomware operator purchases them.

Cyber risk assessment is further complicated by the fact that it’s very difficult to place a dollar amount on a risk. You might know, for instance, that a phishing website that impersonates your brand will have a negative financial impact on your business, but exactly how much it will cost is hard to say. It’s even harder to forecast how risk costs might change if threat actors deploy additional phishing sites, or if they modify phishing content. You can make predictions, but until an attack is in the rear-view mirror, you can never achieve anything approaching a reliable calculation of the cost of a risk.

In short, cyber security risk analysis is almost never comprehensive or scientific. Or, as Phil Cracknell writes on CIO Views, “The biggest challenge in measuring and reporting cybersecurity is that performance metrics are tied to the technology itself and don’t really tell us how good our security is.”

The best you can hope to do is validate that a risk is real, then make educated guesses about how serious the risk is likely to be.

Responding to Cyber Risk

Just because you can’t measure cyber risk exposure perfectly doesn’t mean you can’t manage it. When faced with a risk, you can respond in one of the four ways.

1. Avoid
2. Mitigate
3. Transfer
4. Accept

1. Avoid

Avoidance means stopping whatever exposes you to the risk. If you discover that a certain type of database is vulnerable, for example, you can simply turn off those databases.

The obvious downside here is that shutting down resources may disrupt business operations. But it also prevents the exploitation of risks, so it’s a viable strategy in situations where you believe the risk is truly severe and you can foresee no other mitigation measures.

2. Mitigate

In cases where you know how to mitigate the risk, that’s usually preferable to avoidance. Risk mitigation means taking a certain action – such as patching a software product after a new vulnerability is discovered or updating credentials for a user account that was compromised – that minimizes the chances of attackers exploiting a risk.

Mitigation requires some time and effort, and it doesn’t necessarily fully eliminate risks. For instance, if you update the credentials of a compromised account, there’s a chance that the method threat actors used to compromise the account remains viable, and that they’ll simply steal the updated credentials, too. But in many cases, mitigation is an effective means of rooting out risk.

3. Transfer

A cyber security risk analysis and mitigation strategy is to transfer the risk to someone else. You could, for example, purchase cybersecurity insurance, which won’t prevent threat actors from exploiting vulnerabilities but will at least reduce the financial fallout of a breach.

You don’t really solve the root problem, but you insulate your business against the risk.

4. Accept

A fourth option is to accept the risk and do nothing to address it. This makes sense when you do not believe the risk is severe and the time and effort required to mitigate it outweigh the benefits of remediation.

In this scenario, it’s still important for the information security professionals to document the risk, including estimations on the potential financial impact of this risk, and share the findings with senior leadership. If the organization’s leadership decides to accept the risk, they must sign off on the documentation to accept responsibility for the fallout if that particular risk turns into a costly incident. 

Choosing the Best Cyber Risk Mitigation Strategy

Of these four options, mitigation is clearly the best choice in most circumstances. As the Global Risk Management Institute puts it, “Organizations need to establish and implement a risk management strategy to mitigate the risks specific to their business and to eliminate cyber-attack threats.”

The other three approaches – avoidance, transfer and acceptance – either don’t remove the threat or (in the case of avoidance) are likely to have a negative business impact due to operational disruptions.

Now, choosing to avoid, transfer or accept a risk might make sense if you could reliably measure each risk. But as we explained above, you can’t. Just because you think a risk is minor enough to accept, for example, doesn’t mean it actually is – and if you miscalculate, you could end up deciding to ignore a risk that turns out to have severe consequences.

Cyber Risk Mitigation Strategies

How do you go about mitigating cyber risks? The answer depends, of course, on factors like the nature of each risk and the resources available to you. But in all cases, risk mitigation should reflect the following:

• Attack surface assessment: Monitor your external attack surface to improve visibility and understand risks. Then, isolate the risk and deal with it before threat actors exploit it.  The lower your attack surface – meaning the fewer vectors you give threat actors for exploiting a risk – the lower the chances that you’ll have to mitigate a risk at all.
• To that end, educate your workforce and develop a cybersecurity culture so that employees naturally act in ways that reduce exposure to risks like phishing.
• Threat intelligence: The more you know about risks and the earlier you know about the risks, the more effectively you can mitigate them. That’s why you should monitor threat actors and correlate threat intelligence data with attack surface management (ASM) to determine how attackers are most likely to operate and what you can do to block them.
• Deep and Dark Web monitoring: Monitoring the places where threat actors hang out and share information helps you get ahead of risks and take action before threats impact your organization.
• Cyber supply chain risk management: Risks can arise not just from what your business does, but also from what partners, suppliers and vendors do. For that reason, be sure to monitor your supply chain  in real-time to detect risks that might spill over into your organization.

That last point deserves some elaboration, given the recent 742 percent surge in software supply chain attacks. To protect against cyber supply chain risks, businesses must establish continuous visibility into their supply chains. You need to know if third-party software or data that your business depends on is affected by a risk. For example, compromised account credentials for a partner who has access to one of your business systems could lead to a breach of those systems. You need to act early to get ahead of the threat.

A Comprehensive Approach to Cyber Risk Exposure

Vulnerability severity scores notwithstanding, don’t expect to be able to measure cyber risks with any degree of accuracy or consistency. Nonetheless, businesses must be aware of risks and prepare to act strategically whenever risks arise. That means, ideally, mitigating each risk by leveraging threat intelligence that reveals the nature of the risk, determining how the risk impacts your organization based on attack surface context and, finally, taking action to stem the root cause of the risk.

By delivering real-time threat intelligence customized for your attack surface, Cyberint can help you mitigate risks quickly and efficiently. Contact us to learn more.