What problem are we trying to solve?
Humans love predicting the future. What is the probability that a team will win? What is the probability of rain tomorrow? What will my day look like?
So much so, that big industries have been built on probabilities and predictions.
What is the probability of a person paying back a mortgage?
What is the probability of a driver getting into an accident that triggers insurance?
What is the probability of a vaccine being effective?
With cybersecurity risk becoming one of the most important enterprise risks to manage, is it useful to ask, ‘What is the probability of a cyber attack over the next 12 months?’ The answer is yes . Understanding your risk profile helps you plan and proactively manage cyber risk. If you know your weaknesses, you can fix them and prevent attacks in the future. You can build your action plan prioritized by quantified impact. You can decide your cyber insurance coverage. You can evaluate the ROSI (Return on Security Investments).
But how do you quantify cyber risk in the first place, so you can manage it?
What is the Safe CRQ Calculator?
Safe CRQ Calculator aims to quantify the cyber health of an industry based on the external threat landscape and the inherent risk profile of that industry.
Outputs of the Safe CRQ Calculator are:
- Probability of any attack happening over the next 12 months
- Probability of a specific attack (Ransomware, data breach, business email compromise) happening over the next 12 months
- Potential loss due to a ransomware attack
The above numbers are calculated at an industry level – like healthcare industry, or financial services industry. To calculate the numbers at a company level, we have to account for the specific attack surface environment and controls’ status.
Inputs into the Safe CRQ Calculator are:
- Industry: Different industries have different levels of criticality and attractiveness to the attackers. For example, an average healthcare company with personal healthcare records is very different from an average manufacturing company. Note that the criticality and attractiveness of specific companies might be different. For example, a manufacturing company building a critical infrastructure product might be more suspectible to an attack than an average healthcare company.
- Size (revenue): Normally cyber threat to a $5M revenue company is very different vs. a $5B revenue company.
How did we build the calculator? The research behind it
Lack of accurately reported data makes it difficult to build predictive models. We looked at multiple data sources, and applied our expertise to build these models. Our multiple research teams came together to build this model.
Safe’s Threat Intel research:
- We have telemetry coming from ~400K assets on our platform today. This helps us to understand macro patterns.
- We have run hack analysis of ~100 breaches over the last 3 years
- Attack specific reports from cybersecurity vendors like PaloAlto Networks and CrowdStrike
- Verizon DBIR reports
Safe’s Financial Cost research:
To calculate the estimated financial impact of an attack, we looked at the following detailed data points:
- Our proprietary database of attack costs and metadata collected from primary sources (like SEC filings, regulatory reports, legal documents, and budget reports) covering more than 1,500 security incidents worldwide over the last 10 years
- Insurance claim reports from leading cyber insurers such as Cyentia, Netdiligence, Willis Tower, Coalition and more
The financial model is based on assets targeted by the attacker and the costs generated as a result of the type of attack on those assets.
- Customizable cost drivers are used to estimate costs by category rather than simulated ranges of sparse historical data points.
- A “model company” is created for each industry by revenue size against which modeled attacks are normalized. This adjusts for differences in asset configuration within a given revenue range.
- Probability and likelihood scores are then applied to the modeled financial impact of various attack types by industry.
Safe’s Data Science Research:
- Our Bayesian network model has been co-built with the MIT
- We calculate probabilities of a successful attack happening over the next 12 months based on this Bayesian model.
As mentioned above, there are multiple gaps in publicly available data. To fill these gaps, we applied our internal cybersecurity threat expertise and data science expertise.
Key findings
- Professional services, financial services and healthcare are the most vulnerable sectors, with almost 1 in 4 probability of being attacked successfully.
- Attacks on SMBs have been rising, and the likelihood of a SMB suffering a company-threatening loss is increasing as well.
- In a ransomware attack, the ransom, if paid, makes up less than 10% of the total financial impact of the attack; you are exposed more than you think.
- The industry average numbers are a starting point to begin understanding and quantifying your cyber risk. One can assess real cyber risk only with a deep understanding of the internal cyber environment.
We plan to update this model regularly, as the external threat environment evolves.
What does it mean for a company?
Whether you are in the CISO team, the risk team, or a C-Suite member, or Board member, you can use the industry data as a starting point to have a quantified cyber risk management for your organization.
- Benchmarking: Where do you stand vs your peers? Are you best-in-class? How do you get to the best-in-class?
- You can translate the technical risk to business risk.
- You can create an action plan for your team with ROSI (Return on Security Investment). You can evaluate your cybersecurity investments.
- You can make decisions based on your quantified cyber risk – like where to invest, how much cyber insurance to buy?