Why is Cyber Risk Quantification So Challenging?

It’s hard to get in the mind of a cybercriminal, says Axio President Dave White in his recent Cyber Side Chat with colleague Dale Gonzalez, Axio CPO.

Even though cyber risk quantification has gained increased recognition and adoption these past few years, it continues to be greeted with skepticism by certain security leaders and executives. “It’s too challenging for us,” many of them say.

At Axio, we understand the challenges of cyber risk quantification, particularly the ones expressed by professionals who have tried legacy GRC solutions.

Cyber risk quantification is supposed to provide business leaders more control of their future consequences so they can sleep soundly at night. It’s not dark magic, but a methodology based on tried and tested mathematical models designed to provide financial insight. Leaders want to know the chances a threat would happen and what it would look like if it did. When done right, cyber risk quantification makes it possible to plan technology and insurance investments with resiliency in mind.

But imagine trying to quantify the outcome of human behavior using a legacy method, which gets you participating in a math Olympiad requiring Ph.D. statisticians on your team, doing all kinds of fuzzy math— like multiplying probabilities in an endless quest for precision. Even though this alleged precision may be marketed as dark magic, it’s a misnomer. Cyber-attacks are only limited to the imagination and technical capabilities of the attacker—and they are the ones who practice the dark arts: nation-states, hackers, hacktivists, disgruntled employees, cults, or just plain out evil folks with malicious intent.

“It’s fundamentally hard to get in somebody else’s mind, especially when you don’t know who they are,” said Axio President Dave White, in one of our recent Cyber Side Chats.

Using colored heat maps is another legacy approach to cyber risk quantification that fuels executive skepticism. Counting how much red, yellow, and green you have on a chart doesn’t provide enough information to plan your next move.

Humans want to live with a higher degree of certainty. Worrying about the when and the how of a future event only increases feelings of anxiety and helplessness. The uncertain timing of potential future threats makes it challenging to prepare and survive their consequences—creating a never-ending worry loop.

Fortunately, in the business world, we can plan to mitigate and manage the consequences of cyber events—despite the unpredictable nature of human behavior. Axio360 focuses on scenario planning and the financial consequences: so you can ensure organizational resilience. We built the solution to work around your own professionals, who know the organization best and will incorporate their experience and insight into the organization’s processes.  This removes the worry from the cyber risk equation.

If you’d like to learn more about Axio360 we’d be happy to demo our cyber risk quantification solution.