Cyber Risk Modeling

View the original Working Session content

Cyber Risk Quantification for insurance and underwriting transactions

Use a four-step process to evaluate risk:

  1. Leverage Leverage responses to the NIST Cybersecurity Framework (CSF) questionnaire.
  2. Evaluate Online NIST Self-Evaluation (only), and/or deeper Cyber Readiness Evaluation (CRE) at a level matching the organisation’s needs.
  3. Measure Test to measure scenario-based impacts, measure mitigation options / ROI, measure overall cyber risk profile.
  4. Inform Define an Appropriate Risk Strategy, fill gaps with potential solutions, optimization of insurance pricing, coverage, limits, and deductible/sirs. Helps CISOs selection/business case around security & resiliency investments.

Leverage Information + Evaluate Risks + Measure Exposure = Inform Strategies & Solutions

The NIST Cybersecurity Framework (NIST CSF)

The Framework consists of three parts: the Core; Implementation Tiers; the Profile.

  1. The Framework Core provides a set of five activities to achieve specific cybersecurity outcomes, divided into five functions:
    • Identify
    • Protect
    • Detect
    • Respond
    • Recover.
  2. The Implementation Tiers provide context on how you view cybersecurity risk and your processes currently in place to manage risk.
  3. The Framework Profile aligns your cybersecurity activities with business requirements, risk tolerances, and resources; it enables you to
    • Describe your current and target cybersecurity postures
    • Identify and prioritize opportunities for improvemen
    • Evaluate your progress toward your target state.

In responding to the Framework Core questionnaire, large (more than $1 billion annual revenue) enterprises currently only average about 1.5 out of a possible 4 (a poor rating). Protection, detection, and recovery get the most attention. Response often gets less. Identify is often the weakest part.

Cyber Readiness Evaluation (CRE) Components

  • NIST CSF Evaluation
  • Cyber Vulnerability Evaluation
  • Cyber Compromise Evaluation (current or historical)
  • Cyber Threat Management Exercise
  • Cyber Attack & Response (Pen Testing).
  • Internal and External Threat Actor Profiling

Regulators coming into a business are still learning about cyber. They may operate more from playbooks then skillsets, running standard checks. An organisation may need to explain the criticality of cyber to its regulators.

Framework Implementation Tiers Scoring and Gap Prioritization

  • Tier 1 – Partial: cybersecurity risk management practices are either not formulated or are ad-hoc
  • Tier 2 – Risk Informed: cybersecurity risk management practices are not organization-wide
  • Tier 3 – Repeatable: there is an organization-wide management of cybersecurity risk
  • Tier 4 – Adaptive: cybersecurity risk management is part of the organizational culture

Monte Carlo Simulation Overview

  • Use Monte Carlo if historical data is insufficient or non-existent (making regression analysis impossible).
  • Modelling a real system to learn about its behavior
  • Building a set of mathematical and logical relationships
  • Establishing and varying conditions to test different scenarios

Monte Carlo in practice

  • Random Number Generation: Simulates the uncertainty in the assumptions
  • Program selects a value for the assumption, recalculates the spreadsheet, plots the forecast and repeats
  • Application of Model: Build frequency and severity distributions for each selected Cyber Risk Factor (e.g., Access Control, Protective Technology)
  • The model simulates different loss outcomes and applied correlation and aggregate views to link results
  • This then provides an overall loss distribution along with a view of the associated variability around mean estimate (average) calculations.

Conduct Simulated Cyber Loss Scenarios

  • Total potential losses with no insurance
  • Total potential losses after insurance
  • Total potential losses beyond $50,000 deductible
  • Total potential losses using recommended security solution, such as 2FA

For Future Consideration: Updating and Extending Analysis

  • Determine an acceptable risk tolerance level
  • Select Operating Margin or Net Income (vs. Revenue) as a basis for analysis
  • Update analysis on an annual basis
  • Add new inputs, looking at the effects of other operational changes
  • Add new external data about different insurance coverage options available in the market


Additional/External References

  • PowerPoint/PDF presentation by Yvette Connor (URL is TBD, see separate file called owasp_cyber_risk_quantification_2018.pdf)

Session organiser(s)

Yvette Connor Yvette Connor


Tony Richards Tony Richards , Goher Mohammad Goher Mohammad , Naushad S Naushad S , Orid Ahmed Orid Ahmed , Peter Turczak Peter Turczak , Radu Tighineanu Radu Tighineanu , Vasil Buraliev Vasil Buraliev Abdullah Garcia Abdullah Garcia , Abhi Raj Abhi Raj , Andrew Martin Andrew Martin , Guy Jarvis Guy Jarvis

Attached materials: