Quantifying cyber risk remains the ultimate conundrum of cyber risk management: one that hinders the optimisation of resources for cyber risk management, impedes coherent risk performance measurement and the integration of cyber risk management into Enterprise Risk Management.
Theoretically, quantification of cyber risk requires the estimation of the loss magnitude and the probability of a loss in a cyber breach (Knight, 1921; Freund and Jones, 2014; Hubbard and Seiersen, 2016; Boehm et al., 2019). Anecdotal evidence and professional publications suggest that organisations struggle with these estimations and generally end up with a qualitative risk assessment.
Cyber risk is a subcategory of operational risks that have been notoriously difficult to measure and manage due to the rarity of events, a variety of novel threat types, and scarcity of data about the impact of prior cyber attacks or those on other organisations. Although a significant amount of practitioner guidelines (e.g., Freund and Jones, 2014, Hubbard and Seiersen, 2016; ACCA et al., 2018), international cybersecurity frameworks and standards (e.g., COBIT, NIST CSF, ISO/IEC 27005), and academic operational quantification models (e.g., Facchinetti et al., 2019; Mukhopadhyay et al. 2013) exist about how to assess cyber risk, they are remarkably high level and allow numerous discretions, leaving organisations to figure things out for themselves.
The recommended approaches span from assessing cyber risk qualitatively with scales such as ‘green’, ‘amber’ or ‘red’ and mapping them onto the impact-probability risk matrices to Monte Carlo simulations of the estimated distributions of impacts and probabilities (however, without clear guidance how to get reliable inputs).
knowledge of quantitative research methods
knowledge of quantitative research methods
background in information systems, accounting, maths, IT, engineering
Honours degree or equivalent (with some research method courses completed)