Connecting Cyber Risk to Business Risk
It's no secret that the increase in ransomware attacks poses a critical threat to business operations. These threats are also making it increasingly difficult for businesses to find adequate and affordable cyber insurance coverage. As a result, enterprise leaders around the world have tasked information security leaders with connecting cyber risk to business risk and quantifying the impact.
Collaboration Solves the Cyber Risk to Business Risk Challenge
Over the past year, the Center for Internet Security (CIS) and Foresight Resilience Strategies (4RS) – a consulting group known for building tools that quantify information risk in financial terms – have worked together to solve this issue.
This collaboration has resulted in the CIS Controls Self Assessment Tool (CIS CSAT) Ransomware Business Impact Analysis tool. The tool helps organizations of all sizes conduct a rapid and inexpensive cyber risk self-assessment and present those findings in language that speaks to business executives.
4RS integrated the CIS Critical Security Controls (CIS Controls) v7.1 Implementation Group 1 (IG1) Safeguards, which are defined as essential cyber hygiene, into its risk models and simulations. They also integrated the CIS Community Defense Model (CDM) into the tool. The CDM found that IG1 provides mitigation against the top four attack patterns listed in the 2019 Verizon Data Breach Investigations Report (DBIR), including ransomware.
Identifying the Impact of a Ransomware Attack on a Business
The Ransomware Business Impact Analysis tool applies scores for ransomware-related Controls to estimate an enterprise’s likelihood of being affected by a ransomware attack. Those who have already started an assessment using CIS-Hosted CSAT can import the scores from that assessment.
The tool will help users:
- Characterize and forecast the business impact of a ransomware incident should one occur
- Estimate the likelihood of a loss event in the coming 12 months based on their implementation of the Controls
- Calculate the financial risk of an incident based on measures of impact and likelihood
- Make risk-informed decisions about their information security
- Better engage non-technical stakeholders in cyber risk management efforts
- Prioritize efforts and effectively allocate resources
Who Should Use the CIS CSAT Ransomware Business Impact Analysis Tool?
- Cybersecurity professionals can use this tool to assess, report, and propose changes in Controls based on a return-on-investment analysis.
- Financial and operational business leads can better understand how the budget they have deployed to cybersecurity provides financial benefits in terms of concrete loss prevention.
- Board members can approach presentations and discussions of cyber risk in a way that's consistent with how they review reports on the company’s financial exposure for other risk categories.
- Stakeholders at all management levels can communicate about their cyber risk in a common framework and language.
The tool walks users through multiple loss categories, allowing potential financial impact ranges to be entered for each category and sub-category. These categories cover a variety of topics, including:
- Productivity Costs
- Response Costs
- Replacement Costs
- Legal Costs
- Competitive Advantage Costs
- Reputation Costs
The CIS CSAT Ransomware Business Impact Analysis tool helps organizations better understand how likely a ransomware attack might be for their organization, and how impactful it might be if the organization were to suffer a ransomware attack. The reporting from the tool can be used to enhance the discussion on ransomware risk at an enterprise level, ultimately enabling organizations to better invest in protection against these attacks.
Here’s how you can use a subset of the CIS Controls to guide your ransomware defense strategy.
How to Use the Report
- Promote discussion, understanding, and consensus among stakeholders on the estimated business impact of a successful ransomware attack as well as the importance and value of mitigating the risk of such an event.
- Integrate cybersecurity risk management into the overall risk management and risk governance processes by quantifying it in financial terms.
- Prioritize the implementation of additional Safeguards.
- Provide a defensible financial risk analysis to support sound resource allocation decisions.