What is cyber risk?

The US National Institute of Standards and Technology (NIST) defines cyber risk as the risk of depending on cyber resources (i.e., the risk of depending on a system or system elements that exist in or intermittently have a presence in cyberspace).

If this definition felt like a drink from a fire hydrant, don’t worry. Let’s start from something more basic. How would you define ‘risk’? Simply put, ‘risk’ is a situation involving exposure to danger. For example, someone driving a car without a seatbelt is in a risky situation.

If I was to guess, you are reading this blog from the comfort of your home or office, and probably feeling safe (and not at risk). Why so?

Here are a few reasons:

  • Your home is locked so outsiders can’t get in.
  • The front door is strong making it hard for anyone to break in.
  • The camera by your door provides visibility into anyone trying to get in.
  • The rooms may have windows and balconies, but you have an option to lock them.
  • You have an alarm system to alert security in case any intruder does manage to enter.
  • The police have not alerted you about any serial killer at loose.
  • The smiling weather person on TV is not forecasting a tornado.

So, what does this have to do with cyber risk ?

Organizations today rely heavily on information systems and these systems are analogous to your valuables at home. An enterprise’s “valuables” are the various assets, every piece of software and hardware, whether mobile or fixed, in-the-cloud or on-prem, managed or unmanaged, as well as IoTs, industrial control systems and more, and the data/information on these assets.

Much like you deploy measures (e.g., doors, windows, locks, alarm systems) to protect your belongings, enterprises need control mechanisms to allow or deny access to resources based on who is trying to access the resource. For example, you don’t want your co-worker to be able to read your compensation details in the HR system, while it is ok for the VP of HR and your boss to have access to this information. An online intruder (“cyber attacker”) trying to get inside your organization’s information systems, obviously without authorization, is akin to a burglar trying to break in.

Going back to the definition at the top of this page: cyber risk is the expected loss – financial or otherwise, from cyber attackers if/when they manage to break in.

How much money should your company expect to pay in ransom if 1/3 of your customer data was stolen as part of a ransomware attack, and what is the likelihood of such an incident happening this year? Would you also have to pay a fine to the authorities in Europe due to a GDPR violation? How is this expected loss different if all the attackers could manage to do was to bring down your company’s website? And how likely is that scenario?

As you can imagine, this topic of cyber risk becomes very interesting with different techniques for understanding risk types and scenarios, estimating likelihood of occurrence and quantifying risk, and mitigating/managing risk.

Key quotes about Cyber risk

  • ‘There are only two types of organizations: Those that have been hacked and those that don’t know it yet!’- John Chambers
  • “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” – Stephane Nappo
  • “The knock-on effect of a data breach can be devastating for a company. When customers start taking their business—and their money—elsewhere, that can be a real body blow.” – Christopher Graham

Frequently Asked Questions

Should I worry about cyber risk?

Yes, you should! The cybersecurity landscape is constantly changing with an arms race between attackers and cyber defenders. Ransomware and expensive data breaches dominate news headlines almost every day. More than half (58%) of small businesses reported having suffered a data breach. You can learn a lot more about cyber breach trends in the latest Verizon’s data breach investigation report

What are the different types of cyber risk? 

The scope of cyber risk is far and wide. Cyber risk categories include (but are not limited to):

  • any financial loss due to disruption in operations, threat of extortion
  • any loss of confidential information e.g intellectual property,
  • loss of productivity due to unavailability of systems,
  • privacy risk resulting from customer data being stolen,
  • legal liabilities for the organization due to non-compliance with regulations
  • damage to the reputation of an organization resulting from the failure of its digital systems. 

How is cyber risk calculated?

As you can imagine, the ability to calculate cyber risk accurately is fundamental to making the right decisions about managing cyber risks. Cyber risk quantification is the process of calculating risk exposure and its potential financial impact to an organization in money units.  The need for cyber risk quantification arose as a way for organizations to prioritize the cyber risks and communicate in a simplified language that is comprehensible by the operations teams and executive leadership. Click here to learn more.

How is cyber risk managed?

Organizations across the globe are constantly looking for the best ways to manage threats and vulnerabilities. Using vulnerability scanners to identify unpatched software can be one potential way but it is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and prioritization combined with mitigation actions. Click here to learn more about risk based vulnerability management.

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility