There is a lot of ambiguity when it comes to assessing cybersecurity risk, starting from the probability of a breach, and ending with the estimation of the impact. It’s helpful to break down these items and then work to quantify the ranges for each of them with data specific to your business.

When assessing cybersecurity risk, we follow a proven methodology that starts with estimating the likelihood that an organization will experience a breach or a successful attack. A successful breach requires an existing vulnerability in that a threat (or bad actor) can find and exploit.

However, it is also important to estimate the value of the underlying asset that is being protected. What is the cost of that asset being compromised? And accordingly, is the value of the additional investments required in cyber defenses justified?

Below are some basic concepts that are covered during a cybersecurity risk assessment:

Software vulnerabilities are the inherent weaknesses of the technological platform that makes it susceptible to a successful attack.

Software vulnerabilities are growing at an alarming rate as we produce more software and reuse components or services that contain unknown vulnerabilities. Today’s top 10 Independent Software Vendors (ISVs) have more than 10,000 active critical vulnerabilities (level 8-10) and continue to grow each year with another 1,600 levels 8-10 discovered last year.

OWASP defines the following parameters to estimate the exposure to vulnerability:

• Ease of Discovery: How easy is it for this group of threat actors to discover this vulnerability?
• Easy to exploit: How easy is it for this group of threat actors to exploit this vulnerability?
• Awareness: How well known is this vulnerability to this group of threat actors?
• Intrusion detection: How likely is it that an exploit will be detected?

The organization’s position regarding compliance as well as the consequences of not complying is an additional dimension that has to be considered when assessing risk. Cybersecurity regulations are becoming more stringent, however, there is still debate on the level of compliance that organizations should adhere to which adds the additional risk of possible litigations in case of a breach.

When viewed in isolation, cybersecurity governance, risk, and compliance can be considered as separate functions, however, when taking a holistic view of these critical components, the interdependency between them becomes obvious.

When a threat affects the technological platform, when a vulnerability is exploited, or when a consequence for non-compliance materializes, this is when the risk materializes, and business is impacted.

If your company is embracing technology in its value chain, the value of such assets can approach the value of the entire company. The cost of downtime or a data breach increases every day as you expand your digital presence with your customers, partners, and employees. The primary costs of a breach are:

• Financial damage
• Reputation damage
• Breach of privacy

These are some of the industry standard numbers to help you estimate your risks based on the average cost of a breach.

• At least 1 in 3 companies experiences a significant security incident every year.
• For the mid-market, the average cost of a breach is around $400 to $700 per endpoint or $141 per customer record.
• For larger companies, it is estimated that the cost of a breach to be around $4 million which is also estimated to increase by 10% year-on-year.

But how do you scale a GRC system and make sure it is integrated into your organization?