Content area
Full Text
We live in a time when it's rare for a month to go by without another major data breach in the news. Most readers will be familiar with the highly publicized cyberattacks in recent years at Target, Sony, JPMorgan Chase, the CIA, and Bangladesh Bank, to name a few.
Cyber threats grow with the rapid expansion of data-driven technologies. The convergence of web, cloud, social, mobile, and the Internet-of-things platforms is inherently oriented not to security but to sharing data. As these technologies expand in use, so do the risks, making cyber risk management imperative for organizations today.
In their rush to use big data for driving business forward, however, organizations all too often neglect data security. This article focuses on the quantification of cybersecurity risk.1
The cost of data breaches continues to rise, having increased 54% in the past decade. Average cost per compromised record was $138 in 2006, reaching $217 in 2015.2 Meanwhile, the number of compromised consumer records continues to grow: 48 million in 2013, 67 million in 2014, and 121 million in 2015.3
According to a 2016 study by the Center for Strategic and International Studies, the annual cost of cybercrime to the world economy runs as high as $445 billion-or almost 1% of global income. This does not include the intangible costs to organizations, such as damage to brand and reputation. Detection and recovery costs combined account for 53% of the total cost, mostly due to productivity loss and the direct labor required. Business disruption accounts for about 39% of the total cost.
While the cybersecurity threat exists for all organizations, this article will focus on financial institutions. For cyber criminals, financial institutions are highly desirable targets given their centralized holdings of data, which can be easily monetized.
Toward Quantification of Cyber Risk
At World Economic Forum meetings over the last three years, business and government leaders have consistently talked about a cyber-resilience initiative. In 2015, the initiative called for ways to model and quantify the impact and risk of cyber threats. Indeed, for organizations and industry stakeholders to make sound investment and risk-mitigation decisions, they need to be able to quantify cyber risk. Organizations can achieve this by using a threefold approach:
* Understand the key cyber risk drivers...