In the first part of my blog post I focused on calculating the impact of a cybersecurity breach in relation to a company’s size and industry. In part two, I present an approach to better understand how often a company will experience security breaches.
The probability is usually the big unknown. Not particularly helpful is that our abilities to estimate a probability are inferior to our abilities to estimate damage. In addition, we must consider a range of limitations to our abilities to estimate. We don’t estimate well in magnitudes very small or large. Once in 1,000 years and once in 10,000 years is harder to differentiate than once per year and once in 10 years. Also, we tend to overestimate the probability of recently occurred incidents.
The great uncertainty drives risk practitioners to reduce their risk assessments to pure impact assessments (“Estimations of probability can only be wrong!”). However, we can use what is out there on data and make comparisons.
Contribute your expertise to the FAIR community with a post for the FAIR Institute blog. Contact us.
1. Find the right data sources…
A starting point should be a comprehensive list of breaches, for example the HHS breach report. This report lists companies that experienced breaches of more than 500 records of Protected Health Information (PHI). Following an approach presented by Douglas W. Hubbard, this list can be compared with the Fortune 1000 healthcare companies to figure out how many of them have experienced such a breach and there already is a first estimate. While this is specific to healthcare, another comparison can be made: How much more/less breaches does industry X have in comparison to the healthcare industry? The VERIS Community Database (VCDB) provides the answer.
2. …and understand their limitations
It is essential to understand the limitations of data sources. While this seems obvious, limitations are often not taken into consideration. The “survivorship bias” – the tendency for failed companies to be excluded from performance studies – is one such example. I would love to see a data breach study that focuses on companies that haven’t experienced breaches and what they might have done right! In case of the HHS breach report, only breaches of more than 500 records are considered. Breaches that are not related to Protected Health Information are excluded. Also, integrity and availability scenarios are not covered.
Again, the VCDB provides the answer. A simple comparison shows that about every fifth data breach is less than 500 records. We might just increase our estimation based on this.
3. Tailor the information to your company
Of course, the company size matters. If the company of concern is significantly smaller or larger than the median Fortune 1000 company – which is our basis for comparison – the likelihood should be adjusted respectively.
Lastly, if the security program’s budget deviates heavily from industry averages, or the cybersecurity budget is spent ineffectively, the estimation should be adjusted. I strongly suggest to not look at companies in an isolated manner but rather how they compare to their peers.
The development of the cybersecurity market confirms this. Professional service organizations offer comparisons against industry averages along with security assessments. Technical solutions and especially risk management solutions increase their capabilities to not only provide an array of key performance indicators and security measurements but also to compare against other organizations.
But how much can a mature cybersecurity program even lower the risk and how much is just bad luck? Attacks follow the path of the least resistance strength, so the lower the security is in comparison to peers, the greater the chance of being the target. Hence, to understand how well security performs in relation to their peers might be superior to setting maturity or risk reduction targets in absolute terms.
Read Part 1 by Gideon Knocke, Calculating Your Company’s Total Cybersecurity Risk Exposure.