^{QUANTIFYING CYBER RISK}

BEYOND SECURITY AWARENESS - AN INTEGRATED HUMAN-CENTRIC APPROACH

^{QUANTIFYING CYBER RISK}

BEYOND SECURITY AWARENESS - AN INTEGRATED HUMAN-CENTRIC APPROACH

JENNIFER CHENG

Cybersecurity Strategy Director, Proofpoint

JENNIFER CHENG

Cybersecurity Strategy Director, Proofpoint

It’s truly difficult to communicate cyber risk in business terms. CISOs and security and risk management leaders have come a long way in creating relevant narratives around cyber risk to earn a seat at the table in boardrooms. Still, articulating cyber risk is a dark art that most security professionals aspire to practice daily and may spend their lifetimes working to get right.

This is why Cyber Risk Quantification (CRQ) is a growing field that has caught the attention of many security and risk management leaders. In their Benchmarking Cyber Risk Quantification⁽¹⁾, Gartner® defines defines Cyber Risk Quantifications (CRQ) as, “A method for expressing risk exposure from interconnected digital environments to the organization in business terms.

Risk exposure can be expressed in currency, market share, customer and beneficiary engagement and disruption in products or services over a chosen period.” While currency is the defining metric of business, it can be difficult to map a hard dollar value to black swan cyber events (low probability, high impact) or even soft opportunity costs.

Gartner defines the top 5 use cases by percentage of security and risk management (SRM) leaders⁽¹⁾ as:

_¹	78%	PRIORITIZE CYBER RISKS
_²	61%	COMMUNICATE TO RISK OWNERS
_³	61%	COMMUNICATE TO C-LEVEL EXECUTIVES
_⁴	53%	COMMUNICATE TO THE BOARD
_⁵	53%	ALIGN CYBER RISKS WITH OTHER RISK PRACTICES

_¹

78%

PRIORITIZE CYBER RISKS

_²

61%

COMMUNICATE TO RISK OWNERS

_³

61%

COMMUNICATE TO C-LEVEL EXECUTIVES

_⁴

53%

COMMUNICATE TO THE BOARD

_⁵

53%

ALIGN CYBER RISKS WITH OTHER RISK PRACTICES

Cyber risk in human-centric terms

Framing cyber risk in the context of people is the most understandable way of making it real and relevant to business stakeholders. This often starts in the form of telling stories about incidents affecting people in the organization.

This form of scenario analysis is one of the most compelling ways to demonstrate tangible impact. However, in the language of the FAIR (Factor Analysis of Information Risk) Methodology, this approach only tells a fraction of the story because the loss magnitude and loss frequency are only limited to the scope of that incident or person.

To tell a more universal human-centric cyber story, the risk model needs to recognize that human risks and vulnerabilities encompass a spectrum of behaviors, events, and actions that can expose individuals, companies, or institutions to cyber threats. Crucial facets to consider in the broader view of human risk include:

1. Security awareness and education:
Many individuals lack adequate knowledge about cybersecurity best practices. Ignorance about phishing scams, the significance of secure passwords, or the dangers of downloading suspicious attachments can inadvertently open the door to cyber threats.

2. User negligence and oversight:
Even with sufficient knowledge, human error remains a significant factor. Careless actions like leaving devices unlocked or unattended, using unsecured public Wi-Fi, or failing to update software regularly can create vulnerabilities that cybercriminals exploit.

3. Social engineering:
Most modern cyberattacks exploit human psychology through social engineering tactics. Techniques like phishing, where attackers masquerade as trustworthy entities to obtain sensitive information, rely on human trust to succeed.

4. Insider threats:
Employees or individuals with access to sensitive data pose an insider threat. Whether through malicious intent or inadvertent actions, insiders can compromise data security, making them a significant concern for organizations.

5. Threat landscape or threat intelligence:
Human behaviors alone are not malicious nor risky unless there is context and consideration for the ever-evolving panorama of potential risks, vulnerabilities, and dangers that may pose a threat to an organization’s information security.

6. Security posture and controls:
Most organizations already have sizable investments in cybersecurity readiness and capabilities to defend against potential threats and mitigate risk. These encapsulate the measures, strategies, policies, and practices put in place to protect information systems, networks, and data.

When it comes to the human factor, most of the time security and risk managers default to discussing security awareness training as the primary or sometimes even the only mitigating control. Risk needs to be seen through the lens of the people who are creating it and when they are creating it. The challenge is to quantify risk and understand when people are creating cyber risk, the telemetry lies across the security ecosystem – and does not easily reside in any single product, even those that are designed with integrations.

Any business leader will tell you that analytical nirvana would be having reports showing accurate and relevant data readily available in near real-time whenever they are ready to make a decision. This is also the hope in cyber security for risk, which is not easily done.

RISK NEEDS TO BE SEEN THROUGH THE LENS OF THE PEOPLE WHO ARE CREATING IT AND WHEN THEY ARE CREATING IT.

Proofpoint can help you understand your cyber risk and human risk

When it comes to quantifying cyber risk, to state the obvious, it is highly unlikely that any single vendor will be able to provide the ultimate answer or singular “correct” approach. Our goal is to help customers understand their cyber risk and the best place to start is with understanding people and the human factor.

Proofpoint Nexus People Risk Explorer has the benefits of cyber risk quantification (CRQ) in mind. There are several factors that we have accounted for as we consider our customer needs and technology strategy:

1 Human-centric approach using integrated systems and data: Proofpoint presents a human-centric view of cyber risk by reporting on incidents, threats, behaviors, and other telemetry across an organization’s security infrastructure. We assess risk by looking at:

Vulnerability: The likelihood of users becoming victims based on how they behave or interact with threats.
Attacks: The probability of users being targeted by cyber attackers or receiving severe threats.
Privilege: The impact of the damage to the organization that a successful attack would cause (if they’re an administrator of critical infrastructure or systems).

Just as people are unique, so is their value to cyber attackers-and risk to employers. They have distinct vulnerabilities, digital habits and weak spots. They're attacked in diverse ways and with varying frequency. And they have different levels of access privileges to data, systems and resources. These intertwined factors determine a user's overall risk.

2. Relative industry and organizational benchmarks:
Nexus People Risk Explorer provides a range of risk scores using statistical modeling techniques to generate risk exposure probabilities and machine learning techniques using big data to determine on-demand or daily calculations of risk. Proofpoint’s data set is one of the most comprehensive in the security industry, including 2.8 trillion emails, 1.7 trillion URLs, 1.3 trillion SMS/MMS scanned per year, and 46 million end users protected and monitored for DLP activity. Risk scores can be compared by user, department, industry, or even custom groups.

3. Adjust or customize the risk model according to organizational risk tolerance and security culture:

Just because security controls exist in the arsenal, that does not mean there is proper risk mitigation or use of those controls. Knowing when to apply the right control in the right circumstance is the fundamental tension of every cyber program. To address that, custom controls include adjustable risk thresholds to help highlight and prioritize the areas that matter most to the organization. Likewise, we integrate security awareness and click-rate metrics that reflect the company’s security culture.

As technology advances, the interplay between humans and digital systems will continue to evolve. Advancements in artificial intelligence and behavioral analytics will evolve trending cyber threats as well as aid in fortifying defenses. However, the human factor will remain a constant factor for consideration – including and beyond security awareness. While no system can be entirely foolproof, managing the human element in cyber risk is crucial to creating a more resilient workforce to break the attack chain.

FIND OUT MORE

Watch our video demo of Proofpoint Nexus People Risk Explorer

Watch now

_{^{Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/ or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.}}
_⁽¹⁾_{^{gartner.com/en/publications/benchmarking-cyber-risk-quantification}}