Quantifying Cyber Risk: A Top-down Approach

Presented by

Ariel Evans, CEO, Innosec

About this talk

Cyber risk must be measures using a top-down approach to understand the business impact of cyber risk in dollars and cents and the effectiveness of cyber controls. Bottom-up approaches stop at the system level and do not tie the business processes to the data assets and the systems, hence they lack the ability to demonstrate the effect a missing control, or a discovered vulnerability has on cyber risk. Bottom-Up methods have proved themselves to be extremely inaccurate as they measure controls on the technology level and only describe the control maturity and not its effectiveness. Control maturity is a term that is commonly used by IT to measure their ability to perform and is derived from IT governance methodologies such as CobIT, ITIL and CMMI models. From a Risk Management perspective, controls maturity has no effect on Risk because it only describes the implementation status of the control. For example, an Anti-Malware solution can be 90% mature because it is installed on 90% of the end-points. But from a Risk perspective, the policy this control is enforcing could be irrelevant to the Risk. So its effectiveness could be 0%. Measuring cyber risk by evaluating controls maturity puts the insurer in a very high exposure for loss. Learn how to quantify cyber risk in dollars and cents.

Related topics:

More from this channel

Upcoming talks (21)
On-demand talks (3501)
Subscribers (180317)
This channel features presentations by leading experts in the field of information security. From application, computer, network and Internet security to access control management, data privacy and other hot topics, you will walk away with practical advice for your strategic and tactical information security initiatives.