How should we approach cyber risk?

On the face of it, an earthquake measuring 7.8 on the Richter scale may seem to inhabit a wholly different universe than the shadowy 0s and 1s of a cyber attack. When nature creates a risk event, you’re almost instantly aware of it—but weeks or even months can pass before you realize hackers are inside your company’s IT system or that an employee has lost a laptop with sensitive information on it. (The latest numbers from the Ponemon Institute’s 2015 Cost of Data Breach Study: 256 days, on average, to discover a security breach by a hacker; 158 days to identify human error.)

It stands to reason, however, that if all risks are interconnected to some degree, then the management, mitigation and best practices of them probably share some similarities. Identifying such commonalities can be particularly useful in relation to cyber risk management, which is a relatively new pursuit with limited history to draw upon.

“We’re starting to see the risk management world expand by applying learning across disciplines,” says John Scott, Chief Risk Officer, Global Corporate, Zurich Insurance Group (Zurich). “Technology is so prevalent today that it really overlays everything across the rest of the organization, so the risks do, too. You can’t just look at cyber risk in its own little box. You can learn a lot by considering cyber risks in parallel with other areas of risk.”

Lens of tangibility

In a paper discussing the taxonomy of operational cyber security risks, James Cebula and Lisa Young of the Software Engineering Institute at Carnegie Mellon University describe four classes: Actions of people; systems and technology failures; failed internal processes; and external events. Each of these is divided into additional sub-classes—for example, external events that include fires or natural hazards; regulatory compliance; supplier failure; energy supply, etc. These are not necessarily the first things that come to mind when considering cyber risks.

Amar Rahman, Principal Risk Engineer at Zurich, who conducts natural-hazards site assessments, has found that this gap in perception can be a key hurdle in helping protect and prepare clients.

“When we are doing a site assessment, if the site management hasn’t physically experienced a natural-hazard event, then the perception of the risk is quite low,” Rahman says. “It’s likely the same for cyber risk: If everything is running in the morning, you think it’s just another day of business as usual. In both cases, it’s important to think about the tangibility. On a site assessment, for example, the primary focus is usually on the risk of fire, because fire loads and triggers on the one hand, and the pertinent protection systems on the other, are tangible. With natural hazards and cyber risks, it’s important to visualize the consequences. A storm could cause real damage to your ability to do business, and maybe result in the loss of customers if you can’t provide them with what they need in a reasonable amount of time. If you think about cyber risks in terms of the impact on your operations and consequent loss of customers, you get a more tangible sense of how serious they are.”

Underlying fundamentals

Protecting data and other sensitive information is a major aspect of cyber risk management, and in that regard there is something to be learned from other risks that might seem like ancient history. As the chief risk officer (CRO) of a global data company notes: “If you think back to the days when we were worried about protecting papers containing sensitive information, the physical nature of how the information is recorded has changed, but the risk management premises around protecting digital data and access to it are familiar.”

It helps then, he says, to frame cyber data risks in that context. If a document was worthy of being locked in a safe, today it should be encrypted. If a document needed to be shredded after the proper eyes had seen it, today it can be digitally wiped.

“The way in which we assess risks as an enterprise in terms of understanding what the downstream effects are—that applies to cyber risk, too,” says the CRO. “Cyber is maturing faster and quicker than other risk management disciplines did, but the correlations between many of them are very much the same.”

Cyber risk management is aiming at a constantly moving target, and that creates serious challenges for businesses that shouldn’t be oversimplified. But when considering cyber risks, you needn’t reinvent the wheel entirely. The fundamental principle of risk management, says Scott, is to prioritize. Implicit in prioritization is that you understand your appetite for risk.

“When you prioritize you’re thinking: ‘What level of risk am I prepared to tolerate?’” says Scott. “You might have a very low-impact issue—the sort of little thing that goes wrong every day that doesn’t disrupt the organization. It might even be moderately impactful and happening consistently. Depending on your appetite, which may be expressed as a desire for a quality approach such as Six Sigma, maybe you will want to control that low-impact/high-likelihood event, but if not, then maybe you won’t. Likewise, you may or may not have an appetite for higher-impact risks. Either way, there’s always context and a cost/benefit analysis to consider.”

When you prioritize cyber risks, another common thread with other risks reveals itself: Cyber risks differ from company to company. Any company that has sensitive consumer information is an attractive target for hackers looking to access bank accounts. You’d rightly assume such a business has a low risk appetite and should proactively address it, but there are examples of near-zero risk appetite. A defense contractor that works on projects that have national security implications, for example, “might take very extreme approaches to managing cyber risks,” says Scott. “For example, you might create what are referred to in the IT industry as air gaps, which means you isolate computers with high-value data, so that they are only connected to each other—and nothing else, including the Internet—in a physically secure building. There are different approaches that you can take depending on the type of your organization, and the type of risk and threat. How systems are put in place to identify and mitigate other risks might be the thing that can teach you the most about doing the same for cyber risks.”

This article is published in collaboration with Zurich Knowledge Hub. Publication does not imply endorsement of views by the World Economic Forum.

To keep up with the Agenda subscribe to our weekly newsletter.

Author: John Scott is a Chief Risk Officer at Zurich. Amar Rahman is a Principal Risk Engineer at Zurich.

Image: An illustration picture shows a projection of binary code on a man holding a laptop computer. REUTERS