CyberVaR: Quantifying the risk of loss from cyber attacks

What is cyberVaR?

CyberVaR, or cyber Value at Risk, is a risk estimation method that provides top management with a single risk number and a statistical probability to understand the overall cyber security risk of an enterprise. Its data can then be fed into an organisation’s existing enterprise risk management framework.

It helps answer an important question for any organisation facing a world of increasingly sophisticated criminals: how much are we likely to lose to cyber attacks over a given period of time? And with extensions and analysis, it can help answer questions such as “if we invest more in security, how much could we reduce our risk?” Although getting to the bottom of these questions is neither easy nor certain, cyberVaR provides a powerful framework for the risk estimation process and discussion.

CyberVaR estimates the minimum expected loss for an organisation or activity at a specified percentage level over a given period of time.

For example, it can be used to ask: what is the minimum expected loss, with a five percent chance, over a year of business operations? Suppose that for a large multinational company, that figure is US $450 million. If this level of expected minimum loss five percent of the time – or once every 20 years – is too high, the CEO might choose either to buy cyber liability insurance to reduce that exposure or to invest more in security efforts to lower expected losses.

The power of cyberVaR is that it expresses risk in one number at the highest level, and it uses a methodology consistent with traditional VaR, or value at risk, a well-established risk model used across financial services and in other industries worldwide.

A recent study by the Center for Strategic International Studies estimates that global cyber losses will average US $400 to $500 billion per year over the next seven years. These losses are spread across companies, governments and individuals around the world.

How does cyberVaR work?
In 1995, Rod Beckstrom and Dr. Alyce Campbell proposed a method in the book Introduction to VAR of estimating financial Value at Risk, comparing actual losses against estimates to determine their accuracy and to assess the reliability of risk management judgments.

Value at Risk estimates the total global market risk that banks face in their trading, lending and other operations. It is used to analyse market risk related to interest rates, currencies, equities, commodities or almost any other factor. It can also be used for non-market risks, such as default and operational risks. It is now a global financial industry standard and is used for computing capital adequacy requirements for banks worldwide.

Sophisticated VaR models also consider the correlation among risk factors, because risks that are correlated lead to higher overall risk levels and those that are not related tend to diversify or reduce risk.

While VaR is the pre-eminent global enterprise financial risk model, it has its limitations, and numerous detractors. Yet no one has come forward with a better model.

Recently the idea has arisen to apply the same methodology to cyber risk.

VaR methodology
If all outcomes were randomly distributed and fit into a normal or “bell shaped” probability curve, it would be easy to estimate VaR with considerable accuracy. In reality, very significant losses tend to be highly irregular and outsized. Nonetheless, VaR is now the central risk methodology for most banks and financial service entities worldwide, as well as for many non-financial corporations, because the fundamental insights work and because the mere effort of gathering accurate risk data leads to better awareness and practices.

In banking, calculating VaR centres on gathering all available data on loans, trading positions and derivative contracts across the firm, then estimating their current value and the daily standard deviation – the likely daily change in each asset value. With the standard deviation, VaR can be estimated based on a confidence interval – a specific probability range for calculating risk.

How can VaR be applied to cyber security?
Major organisations have sophisticated risk management offices that calculate VaR as part of their institutional risk assessments. However, few organisations have historically done this for cyber risks. Information or network security was managed simply to avoid attacks or to quickly recover. Security teams did not typically apply financial loss estimation techniques to their activities.

With cyberVaR, this will likely change as security groups put more effort into estimating and quantifying risks and feeding that data to senior management and enterprise risk groups.

How cyber criminals work
Cyber security is about protecting a firm’s assets and operations against network intrusion and other forms of electronic attack. While many attacks originate outside the organisation, they can also come from inside.

Financial assets are lost when hackers steal credit card credentials and purchase goods on their own behalf, create illicit wire transfers to the hacker’s overseas account or make unauthorised account withdrawals, for example. It is estimated that more than US $30 billion is stolen online annually.

But the real cost of fraud losses is even greater. Typically another $2 or more for every direct dollar lost must be spent on mitigating the damage, notifying and compensating customers and correcting accounts. Reputational damage from a serious attack can have a dramatic impact on a company’s financial position through lost customers and reduced confidence in the brand. Consider, for example, the December 2013 Target data breach that resulted in a 46 percent drop in net profit over the holiday period and a record 5.5 percent fall in the number of transactions in the following quarter.

Information assets are lost when various forms of information are stolen. This can include financial credentials that are then sold to other criminals; intellectual property such as patents and confidential business plans that end up in the hands of competitors; employee lists, health records or any other information of value to someone else.

Revenues are also lost when hackers launch DDoS attacks, making it impossible for clients to buy goods at a company’s e-commerce website. Interruptions to operations can cost millions of dollars per hour for major websites.

The nuts and bolts of cyber VaR
The first step in estimating cyberVaR is to identify the most valuable information assets and business activities that could be stopped or harmed by a cyber attack, and to estimate the value of the potential loss for each.

The next step is to estimate the probabilities of these losses occurring.

The final step is to combine those figures to calculate an aggregate cyberVaR figure.

For example, a company might have the following information assets, with estimated values, and operational risks:

Information and other long-term assets Lost value if stolen or impaired
10 million customer credit card records $2 billion
Firm’s reputation (15% of market value) $450 million
Patent portfolio $220 million
Operational cyber risks Lost value if stolen or impaired
Average annual online fraud losses $50 million
Cost per hour of online outage $5 million

Hard work must then be done, based on these values and costs, to estimate the probability that they will occur, and to calculate the correlation or likelihood of a cyber attack leading to multiple categories of losses, which can and does happen. This data is then used to generate an expected distribution of overall cyber losses.

Using the above example, applying probabilities of occurrence and correlation might produce a net five percent cyberVaR of $150 million or a one percent cyberVaR of $500 million.

While estimating values and probabilities in the face of so many variables may seem a heroic task, it is possible. In fact, insurance companies collect more than US $2 billion in cyber insurance premiums each year, and more than a thousand claims have been processed thus far. Typical cyber liability premiums cost about three to four percent of insured value, so this already implies an expected loss distribution. And if the insurance industry can estimate expected cyber losses well enough to write billions of dollars of insurance, then companies can estimate it as well for their own risk management efforts.

Estimating the value of intellectual property
Clearly, some cyber losses are easier to estimate then others. Most online ecommerce sites already have excellent estimates of cyber fraud because it’s visible and hits the bottom line in dollars and cents. On the other hand, most companies don’t estimate the value of their patent portfolios or how much of their profits or market share they are likely to lose if an overseas competitor downloads a copy of their machine tool code.

Thus intellectual property loss estimates tend to be a bit squishy or simply absent. And most firms do not know even when their IP has been stolen because hackers take it silently. But that doesn’t mean these losses should not be estimated. How else can a firm consider how much it’s worth investing to protect its IP assets?

Tracking cyberVaR over time
Risk not estimated is risk misunderstood or mismanaged. The reality is that a lot of good hard work is needed to begin generating cyberVaR numbers and to improve them.
The next important and challenging step will be to determine which security investments actually reduce cyber risks. As business activities change, cyberVaR estimates will need to be recalculated to reflect those changes; cyber losses should be recorded and compared against forecasts.

A challenge in the field of cyber security is that often only the worst events are discovered, so those are the ones learned from. Millions or billions lost by companies like Target, Sony, Aramco or Home Depot are publicly documented and researched. But most losses go undiscovered so much of the loss distribution is unknown or unseen.

It is difficult to estimate how secure a company’s information is or how hard its networks are to penetrate. But it is not impossible. Security audits, for example, can ascertain which information within a firm is encrypted. Penetration testing by outside experts can determine how easy or hard it is to break into a firm’s systems. But though this may produce some valuable information, there is no standard model for assessing the overall risk. And it is incredibly difficult to summarise the overall change in business activity from day to day and how it will affect cyber risks; in very large and complex organisations, it may be virtually impossible.

Precise estimates of cyberVaR requires perfect information about every computer vulnerability in the world, known and unknown, at every level within a firm; perfect valuation of all assets and business activities; and the ability to accurately predict the behaviours of clients, employees and hackers.

Given that perfect information does not exist, intelligent risk assessment and estimation are all the more important. CyberVaR provides a sound approach and a goal to move towards.

Because hackers create new and increasingly sophisticated methods of attack every day, experts and systems designed to detect and prevent them will not keep up without new tools. CyberVaR’s time has come.

CyberVaR leverages decades of knowledge from the practical application of traditional financial VaR. For certain well-documented financial risks, such as credit card fraud or theft of personal financial information, it may be possible to apply it immediately or in the near term. But for estimating IP losses and other general business losses, the problem is much more complex. Tools, techniques and practices will need to be developed to help close the gap so that this valuable and game-changing concept can be applied in practice.

CyberVaR™ is a registered trademark of the Rod Beckstrom Group, Inc.

Rod Beckstrom: Former CEO of ICANN & US National Cyber Security Center

Bring Rod Beckstrom to your next event.

Find out more information, including fees and availability.