Legal departments—specifically attorneys—work hard to protect their organizations from harm. It is the raison d'etre for their role. This may involve saying no to things that seemed to be good ideas prior to analyzing them from a legal perspective because sometimes, when faced with a decision about something new, the safest option is to say no. Single-factor analysis of anything tends to ignore vital elements that more diverse perspectives can bring to bear. Cyberrisk quantification (CRQ) may be one such example.
For the better part of two decades, organizations have been quantifying cyberrisk using a variety of approaches such as Factor Analysis of Information Risk (FAIR,) cyber value at risk (VaR) and security ratings. Throughout this time, the risk of not quantifying cyberrisk has been duly noted. So, what is driving the latest concerns about something that is, by its very nature, designed to alleviate communication problems, translate technology for executives and boards of directors (BoDs), and help remediate the things that could get organizations into trouble?
Legal concerns could stem from the nature of risk quantification. This process is designed to uncover problems with an actionable amount of detail. Anything that is discoverable in a legal proceeding can find its way into a court case and embarrassing fallout may ensue. The fear is that the very detailed CRQ risk assessment results will be made public. For many organizations that have not adopted CRQ, such results may include lists of broken or missing controls and audit results, all with corresponding verbal risk labels (e.g., high, medium, low). They could (and really should) also include a list of scenarios with the same risk labels attached to them. These results alone could be damning to some organizations. Specific CRQ concerns stem from having all of these elements tied to a potential amount of loss and frequency.
However, it is difficult to imagine a court proceeding where strictly qualitative results would allow an organization to walk free. It would look like what one would expect: a list of risk factors and (if we are being cynical) excuses as to why they cannot be resolved immediately. The only additional thing that quantification would add is that the expected financial losses were those broken or missing controls to be exploited. Indeed, this entire line of reasoning is a red herring for the real issue, which is that organizations conduct cyberrisk assessments, communicate their findings and no action is taken.
Quantitative risk assessments would provide a paper trail of the organization being aware of the source of risk; the organization choosing not to fix it, or, in the best case scenario, a plan being created for how and when it would be fixed; and what the potential monetary impact would be for not remediating the risk. In fact, there are far more best practices associated with not performing these 3 steps than with doing them. Imagine an organization that is not conducting risk assessments and is subsequently hacked. Through the discovery process, it was revealed that it had not been conducting risk assessments. That is a violation of due care and due diligence by the board and executive management. Adding additional data to those assessments to justify ratings does not create any more risk.
If anything, it is what an organization does with quantified data that truly matters. Top uses for CRQ data include risk transfer decision support (i.e., buying cyberinsurance) and setting and managing a cyberrisk appetite (e.g., via issue management, project assessments). In fact, establishing a risk appetite is far more mature than not doing so and instead pretending that an organization does not accept anything that is high risk, which is what most qualitative risk appetite statements say, in one form or another.
An organization that has actively chosen to accept risk of a certain amount and actively makes plans for dealing with that risk were it to come to fruition is far more mature than one that pretends that hiding behind high-risk labels is safer. Imagine that a bank took the same approach to Internet risk or credit risk. It would proclaim that it does not accept any high risk and proceed to label certain business transactions and people as high risk. There is an amazing amount of hubris associated with pretending that the method of accounting for risk is the key concern in a court proceeding. It is far more likely that the real culprit is the lack of action taken to address cyber concerns, rather than assessing them in the first place.
The sole plausible argument for this, and only tenuously so, is if an organization would like to rely on Rule 702 of the US Federal Rules of Evidence (FRE) to hire its risk assessors through outside counsel and have the work product protected under attorney-client privilege. Under such rules, the organization would not be compelled to disclose the results of the CRQ assessment during the discovery process. However, it may be obliged to reveal such results to regulators or investors. Organizations simply cannot conduct all their due diligence activities using such furtive means as it creates operational friction to the normal course of business. Internal risk assessments inform decision-making, improve processes and mitigate risk within the organization. Adhering to the procedures and requirements of Rule 702, which are designed for court proceedings, may introduce additional complexity, time, and costs that may not be necessary or practical for internal risk assessment purposes.
A mature cyberrisk management program is modeled and managed quantitatively. This drives prioritization and effective investing. Internally, organizations know that whatever their allocated budget is, it is applied judiciously to the areas that have the most impact. A strong cyberrisk management program also allows organizations to purchase the correct amount of insurance and account for any gaps using capital allocation exercises. Increasingly, the investment community is looking for the same from organizations. Moody’s Investor Services has gone on record saying that utilizing CRQ is credit positive for organizations. If CRQ is good for investors, then it cannot also be something that creates liability for organizations unless it only serves to highlight other bad management practices.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC
Is a cyberrisk quantification expert, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.