This is Part 2 of a "Cybersecurity Risk" blog. Part 1 – A Primer for Measuring Cybersecurity Risk – examined three phases of a cybersecurity risk measurement process: business process inventory, data process flows and security controls mapping, and risk assessment.
Once the “weakest link” in a business process and its vulnerabilities have been identified (See Part 1), it’s important to look at the types of threats the asset faces and the potential impacts of a successful attack. A credit union’s Enterprise Risk Management Committee and Board of Directors should approve a list of threats for this process and review/update it as needed.
Using Confidence Intervals to Assess Impact
Using the threat list, the risk analyst should work with the business unit manager to determine the upper and lower bounds of the monetary impact and the upper and lower bounds for probable outages that would occur should one of the threats successfully compromise a business process.
The key to a realistic assessment of cyber risk is to avoid:
- “Armageddon” scenarios where you assume all IT assets are compromised and all the money is stolen
- “Pollyanna” scenarios where you assume that since it has never happened to you, it will never happen to you
To do this in as useful and efficient a manner as possible, you should use 90 percent confidence intervals for all impact assumptions. This means five percent of outcomes exist below the credit union’s defined lower bound for monetary impact, and five percent exist above the upper bound. Most risk analysts assume cyberattacks cannot have negative occurrences (negative data records stolen or attackers putting more money in the credit union’s account). Risk analysts would typically assume that the distribution of outcomes resembles a log normal distribution with the upper tail trailing off to infinity and the bottom side ending at zero.
Fine Tuning Internal Business and Risk Expertise
As noted in Part 1 of this blog, insurers and gamblers rely on their innate ability to estimate the odds of an infrequent event and accept the “tail risk” of being wrong as the cost of doing business. Credit unions do the same every day with their loan portfolios. Do lenders set loan rates with the expectation that all new loans will go bad? Probably not. Typically, there is a range of expected losses, usually captured in the loan rates competitors are offering versus the credit union’s loan loss experience the last few years. For example, if a recession becomes more likely, the financial press may report loan underwriting standards becoming “more strict.” This “tightening” just shows that financial institutions are balancing their risk book using their innate abilities and the prevailing market rates as guides.
Happily, using common calibration techniques, you can actually “fine-tune” over 80 percent of your business line managers’ and risk analysts’ innate abilities (expert knowledge and experience) to accurately estimate the odds of an infrequent event or the likely impact of the event. You can also determine which managers and analysts do not have the innate ability to be calibrated and adjust your risk assessment process accordingly.
Ultimately, fine tuning a business person’s innate abilities to estimate the odds of an event is the “silver bullet” specialized insurance companies have used successfully for centuries. The process to achieve this fine tuning will be explained in a future blog.
Pulling it All Together
After identifying the weakest link in the chain and estimating its probability for compromise, you can use the list of threats, probability of occurrence, probable impacts and a statistical process to estimate probable loss for the entire business line. This “pulling it all together” can be done with an Excel spreadsheet. We recommend using that spreadsheet to generate 5,000 random scenarios to see the range of probable losses and the likelihood that some will exceed your credit union’s risk tolerance.
In summary, establishing a successful cybersecurity risk measurement system and a thorough internal process for identifying threats and their probable impact will go far in protecting your credit union and satisfying regulators.
As your credit union’s dedicated partner on every front, Catalyst Corporate will continue to share risk management information, as available.