Quantifying Cyber Risk: A Top-down Approach

Presented by

Ariel Evans, CEO, Innosec

About this talk

Cyber risk must be measures using a top-down approach to understand the business impact of cyber risk in dollars and cents and the effectiveness of cyber controls. Bottom-up approaches stop at the system level and do not tie the business processes to the data assets and the systems, hence they lack the ability to demonstrate the effect a missing control, or a discovered vulnerability has on cyber risk. Bottom-Up methods have proved themselves to be extremely inaccurate as they measure controls on the technology level and only describe the control maturity and not its effectiveness. Control maturity is a term that is commonly used by IT to measure their ability to perform and is derived from IT governance methodologies such as CobIT, ITIL and CMMI models. From a Risk Management perspective, controls maturity has no effect on Risk because it only describes the implementation status of the control. For example, an Anti-Malware solution can be 90% mature because it is installed on 90% of the end-points. But from a Risk perspective, the policy this control is enforcing could be irrelevant to the Risk. So its effectiveness could be 0%. Measuring cyber risk by evaluating controls maturity puts the insurer in a very high exposure for loss. Learn how to quantify cyber risk in dollars and cents.

Related topics:

More from this channel

Upcoming talks (1)
On-demand talks (1746)
Subscribers (47903)
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and security skills. It is the owner and developer of the world famous Certified Ethical Hacker (C|EH), Computer Hacking Forensics Investigator (C|HFI) and EC-Council Certified Security Analyst (E|CSA)/License Penetration Tester (L|PT) programs, and various others offered in over 60 countries around the globe.