For financial institutions, safeguarding against cyber attack is now about more than just protection – increasingly it means managing cyber risk effectively across the organization. In modern, diffuse networks, such as those in most large banks, allocating risk across multiple network nodes (defined here as IT infrastructure, assets, and points of access) is vital to developing comprehensive strategies for managing cyber risk. Central to this is quantifying the risk. We believe that current scoring and statistically oriented models for cyber risk quantification are based on flawed assumptions, and fail to answer several key questions.
We propose a methodology for quantifying cyber risk that incorporates the physical network in the organization, and the behavior and characteristics of individuals and processes in that network – including the actions they take to mitigate cyber risks. In addition, as allocating and attributing risk are central to modifying the behavior of institutions and individuals, enabling organizations to easily attribute and allocate risk to specific nodes and edges of the network is central to our method. This paper provides a high-level summary of the approach, and highlights how it differs from, and improves on, existing models of cyber risk quantification.