Insights from Catalyst

Welcome to Catalyst Corporate's blog - Insights from Catalyst. Here, read what thought leaders have to say about credit union news, trends and industry happenings. Have a blog idea, want to contribute or need to know more? Contact the Communications Team

A Primer for Measuring Cybersecurity Risk

August 08, 2019

by Brent Smith, Senior Vice President, Chief Risk Officer

In 2018, cybersecurity risk was ranked as the number one concern for NCUA – it even ranked ahead of credit risk and fraud risk at credit unions. However, regulators have provided little in the way of risk management tools for credit unions to use to measure cybersecurity risk in monetary terms. Credit union managers need such a tool to calculate how much capital or earnings is at risk from a cyberattack, or if a new cybersecurity tool will be worth the time and money required to install it. Cybersecurity Risk Management

Fortunately, insurance actuaries have been putting a dollar value on risk for centuries. And, Vegas odds makers have been profitably balancing their books and taking positions in one-off sporting events for decades.

Historically, these insurers and gamblers have successfully calculated a range of potential outcomes or the range of probabilities for a particular outcome, such as a ship sinking or an untested boxer besting a champion. Their innate ability to assess the risk/reward for a potential outcome was generally “calibrated” through tutoring or other means. Over the years, experience and advanced statistics have further defined and augmented this calibration.

Until recently, combining the experience cybersecurity professionals carried around in their heads with advanced statistical techniques was a nearly impossible task.

In their book, “How to Measure Anything in Cybersecurity Risk,” Douglas Hubbard and Richard Seiersen published “how to” techniques combining these two components. Part 1 of this “Cybersecurity Risk” blog examines three phases of implementation for the cybersecurity risk measurement process as outlined by Hubbard and Seiersen.


1. Business Process Inventory

For the business unit manager, assessing the business impact of a cyberattack is more about estimating the impact to critical data, potential downtime and revenue flows than identifying which systems would be attacked and how. The risk analyst assisting in the endeavor should then work with the business unit and IT systems managers to determine which IT assets are used for each business process and which users have access to each asset. Then, an inventory of sensitive data and revenue flows should be completed to determine if any monetary or investment securities are part of the assets the business unit manages.

Next, the risk analyst should work with the business unit manager to determine the impact of downtime for each IT asset. Downtime impact may already have been estimated as part of the annual business impact analysis for the credit union’s business continuity plan.

All information gathered in the business unit business process inventory phase should be stored in a database like SQL (Access) or Oracle and in the analyst’s work papers.

2. Data Process Flows and Security Controls Mapping

Next, the risk analyst should complete an inventory of the IT resources related to the business processes and the cybersecurity controls that currently protect each asset.

The inventory and mapping phase is complete when everyone involved knows:

  1. What data, money and securities flow through each IT resource
  2. Value of the data, money and securities
  3. Who has access to each IT resource
  4. Where the data, money and securities sit at rest for any period of time
  5. What vulnerabilities and security controls exist at each step of the process

3. Risk Assessment

Weakest Link Assumption

Given that IT assets used in a business process must link together so that data can be passed along to complete a business task, IT assets are trusted by each other to some extent. Hackers' attacks are typically successful against the weakest link in the chain. They then establish a beachhead on that asset and use the credentials found on that asset to jump to more valuable targets on the network. Therefore, the risk analyst should assess the probability of a successful attack on each IT asset in the business process chain and use the estimated probability of a successful attack on the “weakest link.”

Risk Decomposition Process

Layers of security controls typically create a stronger defense against attacks than any single control, but not all security controls are needed for every kind of data or user. Typically, the stronger the security control (such as callbacks for wires), the more burdensome/expensive they are (such as a DMZ for internet access). For example, wirerooms or credit card PCI zones have some of the most valuable targets for hackers to attack; they also have the most security controls protecting the workspace, the data and the credit union’s money.

To establish a successful cybersecurity risk measurement system, credit unions may want to consider implementing a three-phase process that employs business process inventory, data process flows and security controls mapping, and risk assessment.

Catalyst Corporate partners with your credit union in the fight against cybersecurity risk. Part 2 of this “Cybersecurity Risk” blog – slated for September 12, 2019 – will examine the types of threats IT assets face and the impact of a successful attack.