Organizational cyber risk consists of three (3) variables: 1) a scenario whereby harm can come to an asset (“threat”, e.g. phishing email); 2) a weakness in the organization the threat can exploit (“vulnerability”, e.g. untrained users); 3) an impact to the organization should the threat exploit the vulnerability (“impact”, e.g. ransomware infection costs organization time and money to recover). There is some probability that a threat event can exploit a vulnerability (threat x vulnerability), and so the risk calculation becomes: probability x impact = risk.
Risk is typically calculated qualitatively first (“high”, “moderate”, “low”), but ultimately needs to be calculated quantitatively in terms such as dollar amount, time required to recover, etc. Quantitative calculation is required for the organization to understand the resources it may need to outlay to appropriately mitigate the risk. Proper risk management dictates that an organization expend the minimum resources required to mitigate risk to an acceptable level.
To use the example of the risk of phishing attack spreading ransomware in an organization, the organization must first calculate the impact: many organizations would realize a high impact from a ransomware outbreak, in that such an attack may cause irreparable, catastrophic impact to the organization. The impact is then deemed qualitatively to be “high”. The organization then analyzes the probability of successful attack. Phishing emails and other social engineering tactics represent the single biggest threat to most organizations, and users are typically the organization’s weakest link. Thus the probability of a successful phishing attack against a user is high. The unmitigated risk (probability x impact) in this case is “high”. To mitigate this risk, the organization determines that the average cost of recovery from ransomware in its industry sector is, say, $50,000. The organization then undertakes to spend no more than $50,000 on mitigators such as user awareness training, email protections such as attachment scanning, and purchasing insurance that would offset the cost of the ransom.