Request Demo

Cyber Risk Quantification, Cyber Risk Management Frameworks

Contextualize Quantified Cyber Risk With A Risk Appetite Statement


Now more than ever, CISO’s are being tasked with delivering hard metrics around an enterprise’s technology and digital risk. While this is nothing new for seasoned information security professionals, the challenge here lies in providing these metrics in a way that is applicable and meaningful to the rest of the C-suite, the CEO, and the Board. The first step in this process is contextualizing the risk data generated by understanding where it fits in general enterprise risk levels as a whole. This contextualization begins with a risk appetite statement.

Brief Overview of Risk Appetite Statements

Risk appetite statements are nothing new - as more enterprise organizations have recognized the diversifying forms of risk that their organization faces (financial, operational, etc.) - they have come to realize they need a documented method for the whole organization to understand how to make decisions about new risks. More commonly, risk appetite statements are used in financial institutions but they are starting to be seen in other industries as well. We can define risk appetite statements as the risk tolerance that the organization as a whole is willing to shoulder to achieve business success. 

Cyber Risk Is The Newest Addition

While business leaders are well adjusted to managing risks in the physical realm, cyber risk is a whole new world. While we are still starting to see more data supporting cyber risk, the lack of historical data cannot keep organizations from adding those digital risks into the mix. However, this lack of historical data on cybersecurity risk combined with a more significant lack of understanding of cybersecurity, in general, has left many organizations’ approach to cyber risk siloed within IT.

What organizations are challenged with now, is to embrace cyber risk quantification and embed it into their cyber risk appetite model (and overall risk appetite) or face the same fates as Equifax or Wells Fargo.

Rolling Cyber Risk Into Your Risk Appetite Statement Enhances Risk Quantification

From a management standpoint, directly reporting cyber metrics with no context further distances information security from the business side of the organization. The metrics that technical leaders use to measure the cybersecurity health and posture of an organization just do not transfer to business-side conversations. Gartner states of board members surveyed, 80% value "risk posture" as the most important metric for reporting. Less than 20% of CISOs thought the same.

Technical leaders are often tempted to get lost in the weeds - to spend time on details and deliver information that does not fit into the context of what senior management and the Board are looking for. For business-side leaders and CISOs alike, integrating cyber risk into an enterprise risk appetite statement creates a single source of truth for both parties to know what the other expects of them.

Sample risk appetite statements and why they work for cyber

From Gartner - National Bank

<The Bank> faces a broad range of risks in its responsibilities as a central bank. Acceptance of some risk is often necessary to foster innovation and efficiencies within business practices. The risks arising from our policy responsibilities can be significant. These are managed through processes emphasizing the importance of integrity, maintaining quality staff and public accountability.

<The Bank> is also exposed to some significant financial risks, mainly due to it holding foreign exchange reserves. In terms of operational risks, we have a low appetite for risk and make resources available to control operational risks to acceptable levels. <The Bank> recognizes that it is not possible or necessarily desirable to eliminate some of the risks inherent in its activities.

Why it works

This model risk statement gives insight into the enterprise organization’s risk approach as a whole. Specifically, the statement highlights critical risks that are necessary to accept to participate in the industry. As we all know there are specific risks to specific sectors. Although, cybersecurity risk is the glue that ties many organizations together - all organizations are hitting the point of accepting more cyber risks. For CISO’s a statement like this helps them and their teams understand where resources need to go based both on the priorities of the organization from a high level and specific to cyber risk.

From Gartner: Local Credit Union

The organization has a tolerance for risk, allowing it to achieve its business objectives in a manner that is compliant with the laws and regulations in the jurisdiction in which it operates.

The organization has a low-risk appetite for the loss of its business and customer data. The organization has a medium risk appetite for physical information security assets and will track assets greater than US$2,000. Information assets will be protected per the organization's data classification framework. The organization has a high-risk appetite for access controls. All access to the organization's mission-critical systems will be controlled via biometric authentication.

Why it works

This sample statement further hammers the importance of certain risks over others. It grants insight for the whole organization into what the teams shouldering this risk need to prioritize for the enterprise to function. Statements like these contextualize specific risks within the risk landscape as a whole for any given team - in our case security risk and cyber risk management teams.

Cyber Risk Appetite Statement Example

Using the previous examples as a template, we can look at the following as a template for a cyber risk appetite example: 

The organization has a tolerance for risk, allowing it to achieve its business goals and objectives in a manner that is compliant with the laws and regulations in the jurisdiction in which it operates. The organization has a [low/medium/high] appetite for the loss or breach of its business and customer data in pursuit of its goals. The organization has a [low/medium/high] risk appetite for physical information security assets and will track assets greater than [dollar amount]. Information assets will be protected per the organization’s data classification framework [use examples if you wish]. The organization as a [low/medium/high] risk appetite for access controls. All access to the organization’s mission-critical systems will be controlled via [2FA/MFA/biometric]

CISO’s Must Contribute To An Enterprise Risk Appetite Statement

Turning a blind eye to cyber risk, as we’ve seen, is no longer an option. Whether the organization already has a general risk appetite statement or if it is still undefined, CISO’s need to be actively involved in developing and iterating on that statement - helping shape their own cybersecurity risk appetite statement, and refining their security teams around risk-based thinking. Using the appropriate risk assessment framework and risk assessment tool to understand where your organization stands in terms of risk as well as know where your organization needs to go to fit that risk appetite statement is critical. 

You may also like

Risk Register Examples for ...
on July 29, 2020

Risk registers are a widespread utility among many cybersecurity professionals that allow practitioners to track and measure risks in one place. This type of reporting can quickly ...

3 Templates for a Comprehensive ...
on July 27, 2020

What is a Cyber Risk Assessment Information security risk assessments are increasingly replacing checkbox compliance as the foundation for an effective cybersecurity program. As ...

Infographic: The Six Steps of the ...
on July 24, 2020

As many organizations begin to mature their cybersecurity program, they are shifting to a risk-based approach to security. In most cases, security leaders are no strangers to ...

3 Cybersecurity Risk Areas to ...
on July 20, 2020

2020 has brought with it immense change across the cybersecurity risk landscape. The effects of COVID-19 pandemic are still ongoing, and the opportunities for new cybersecurity ...

Alison Furneaux
Efficient Demotivation: How Black ...
on July 16, 2020

As information security shifts from a siloed function to an increasingly relied upon business function and enabler, business executives and Boards have taken a greater interest in ...

Developing Your Risk Management ...
on July 14, 2020

The scope and process for an organization seeking to implement the NIST Cybersecurity Framework (CSF) can be daunting for even the most experienced CISO to handle. Despite the ...