Global Security, Privacy, & Risk Management

Quantifying CyberRisks- Solving the Riddle (per AT&T CyberSecurity Blog) March 11, 2021

I recently published a new article on the AT&T CyberSecurity blog titled Quantifying CyberRisks- Solving the Riddle. Below is an excerpt. Click ‘read more’ to read the entire piece.

In the late 1990’s and early 2000’s there was a concept that was bandied about that was coined “Return on Security Investment” or ROSI.  Borrowing from the common business term Return on Investment (ROI) where a return on a particular investment (capital investment, personnel, training etc.) could be quantified, the cybersecurity industry attempted to quantify a return on security investment. 

Fundamentally, the primary failing of this concept is that it is mathematically impossible (approaches mathematical impossibility) to quantify an event “not occurring”.  In short, if a company has “zero” security events that impact them deleteriously in a given year, was the $5 million security expenditure appropriate? Should it have been less since there was no security event that caused a loss?  If the company experienced an event, was the return on the investment then the difference between the expenditure and the overall losses from the incident?  It simply did not work, as it was mathematically flawed.

Fast forward to 2021 and companies once again are fixated on quantifying cyber risk and, more importantly, cybersecurity exposure.  The question is similar and is asked: “Can companies accurately quantify cybersecurity risks today?”

This is a complex question but to attempt an answer it is first important to have a working definition of several terms. 

Risk- is an artificial construct which can be easily expressed as the function of the likelihood of an adverse event occurring (often provided as a statistical probability) and the impact, should the event be realized (in business, and for the purposes of this article, it will be expressed in monetary terms.).  In short R=fPI. Click Here to Read More!